/Develop_Branch/NPL/common/Smb.npl
# · Unknown · 10693 lines · 10365 code · 328 blank · 0 comment · 0 complexity · 49a0b3005c99b78e36f712f2f6815c07 MD5 · raw file
- //# (c) 2010 Outercurve Foundation
- //#
- //# Title: Server Message Block Protocol (SMB)
- //#
- //# Details:
- //#
- //# Public References: RFC 2478 - Security Blob is Authentication token in RFC 2478 format
- //# ftp://ftp.microsoft.com/developr/drg/CIFS/
- //# Section "Server Message Block Protocol" of http://protoserver/protocol_without_lh/
- //# http://www.jalix.org/ressources/reseaux/nfs-samba/samba/~smb/SMBPUB.DOC
- //# Microsoft References: [MS-MSRP]: Messenger Service Remote Protocol Specification
- //# [MS-MAIL]: Remote Mailslot Protocol Specification
- //# [MS-SMB]: Server Message Block (SMB) Protocol Specification (27.0)
- //# [MS-CIFS]: Common Internet File System (CIFS) Protocol Specification (7.0)
- //#
- //# Comments:
- //#
- //# Revision Class and Date:Major, 3/25/2009
- //# Minor, 10/17/2012
- //#
- //####
- [BuildConversationWithParent]
- Protocol SMBOverTCP = FormatString("%s", Property.SMBOverTCPSummary)
- {
- [
- Post.Property.SMBOverTCPIsFirst = Conversation.SMBOverTCPIsStartSeq$[Property.NetworkDirection, Property.TcpSeqNumber] && (Tcp.Flags.Push || HighestReassembledProtocol == "TCP" || HighestReassembledProtocol == "SMBOverTCP"),
- Post.Property.SMBOverTCPIsLast = Conversation.SMBOverTCPIsStartSeq$[Property.NetworkDirection, Property.TcpNextSeqNumber] || HighestReassembledProtocol == "SMBOverTCP",
-
- Post.PayloadStart
- (
- NetworkDirection, /* direction */
- 0, /* id */
- 0, /* sequence token */
- 0, /* next sequence token */
- 0, /* total payload length*/
- Property.SMBOverTCPIsFirst, /* is first */
- Property.SMBOverTCPIsLast, /* is last */
- RssmblyIndStartBit+RssmblyIndEndBit+RssmblySelfBit
- )
- ]
- while [FrameLength > FrameOffset]
- {
- [
- Conversation.SMBIsRawData ? Conversation.IsSMBRawDataMV$[FrameNumber] = Conversation.SMBIsRawData : 0,
- Property.SMBIsRawData = Conversation.IsSMBRawDataMV$[FrameNumber],
- Post.Conversation.SMBIsRawData = Property.SMBIsRawData,
-
- Post.Conversation.SMBOverTCPEndSeqTable$[MakeByteArray(Property.NetworkDirection, Property.TcpNextSeqNumber)] = Conversation.SMBOverTCPEndSeqVar$[Property.NetworkDirection]
- ]
- SMBOverTCPPacket SMBOverTCPPacket;
- }
- }
-
- struct SMBOverTCPPacket = IsValueNone(ZERO) ? "Continuation Data" : FormatString("Length = %u%s", Length, Length == 0 ? ", RawDataEnd":"")
- {
- switch
- {
- case Property.SMBIsRawData || (UINT8(FrameData, FrameOffset) == 0 && (UINT8(FrameData, FrameOffset + 4) == 0xFF || UINT8(FrameData, FrameOffset + 4) == 0xFE || UINT8(FrameData, FrameOffset + 4) == 0xFD) && Asciistring(FrameData,FrameOffset+5,3) == "SMB"):
- [Conversation.SMBOverTCPIsStartSeq$[Property.NetworkDirection, Property.TcpSeqNumber + CurrentProtocolOffset] = true]
- [Conversation.SMBOverTCPIsStartSeq$[Property.NetworkDirection, Property.TcpSeqNumber + CurrentProtocolOffset + 4 + UINT24(FrameData, FrameOffset + 1)] = true]
- [Conversation.SMBOverTCPEndSeqVar$[Property.NetworkDirection] = Property.TcpSeqNumber + CurrentProtocolOffset + 4 + UINT24(FrameData, FrameOffset + 1)]
- [Property.IsMoreThanOneSMBOverTcp = Property.IsMoreThanOneSMBOverTcp ? true : ((FrameLength - FrameOffset) > (4 + UINT24(FrameData, FrameOffset + 1)))]
- [Property.SMBOverTCPCount = Property.SMBOverTCPCount + 1]
- [Property.SMBOverTCPSummary = Property.SMBOverTCPCount == 1 ? FormatString("Length = %u%s", Length, Length == 0 ? ", RawDataEnd":"") : FormatString("SMBOverTcp Packet Count : %u", Property.SMBOverTCPCount)]
- struct
- {
- UINT8 ZERO;
- [DataFieldByteOrder = BigEndian, Property.SMBOverTCPLength]
- UINT24 Length;
- switch
- {
- case Length > 0:
- [DataFieldFrameLength = FrameOffset + Length]
- struct
- {
- switch
- {
- case UINT8(FrameData,FrameOffset) == 0xFF &&Asciistring(FrameData,FrameOffset+1,3) == "SMB": // 0xFFSMB
- SMB Smb;
- case UINT8(FrameData,FrameOffset) == 0xFE &&Asciistring(FrameData,FrameOffset+1,3) == "SMB": // 0xFESMB
- case UINT8(FrameData,FrameOffset) == 0xFD &&Asciistring(FrameData,FrameOffset+1,3) == "SMB": // 0xFDSMB
- while [FrameOffset < FrameLength]
- {
- SMB2 SMB2;
- }
- default:
- SMB SmbRawData;
- }
- switch
- {
- case FrameOffset < FrameLength:
- BLOB(FrameLength - FrameOffset) Padding;
- }
- }
- }
- }
- default:
- switch
- {
- case IsValueNone(Conversation.SMBOverTCPEndSeqTable$[MakeByteArray(Property.NetworkDirection, Property.TcpSeqNumber)] ):
- Blob(FrameLength - FrameOffset) SMBOverTCPContinuationData;
- default:
- [
- Property.SMBOverTCPSummary = "Continuation Data",
- Local.SMBOverTCPRemainLengthData = Conversation.SMBOverTCPEndSeqTable$[MakeByteArray(Property.NetworkDirection, Property.TcpSeqNumber)] - Property.TcpSeqNumber,
- Local.SMBOverTCPRemainLengthData = FrameLength - FrameOffset > local.SMBOverTCPRemainLengthData ? local.SMBOverTCPRemainLengthData : FrameLength - FrameOffset
- ]
- Blob(local.SMBOverTCPRemainLengthData) ContinuationData;
- }
- }
- }
-
- ////////////////****************************************************************////////////////
- ////////////////************************ SMB Protocol **************************////////////////
- ////////////////****************************************************************////////////////
- // R - Response, C - Command
- [DataTypeByteOrder = LittleEndian, DefaultTimeOut = SMBConversationTimeout]
- Protocol SMB = (Property.KrbError ? "KrbError: " + KrbErrorCodeTable(Property.KrbError) + " " : "") +
- (Property.SMBResponse ? "R":"C") +
- (Property.SMBInterimResponse ? "; InterimResponse" : "") +
- (Property.SMBComSummary) +
- (Property.AuthSummary ? ", " + Property.AuthSummary : "") +
- (Property.SMBFileName.Contains("\\Policies\\{") ? " - Group Policy" : "") +
- (Property.SMBErrorSummary) +
- ((Property.ParserWarning == 1) ? "; Warning: " + Property.ParserWarningMessage : "")
- {
- switch(UINT32(FrameData, FrameOffset))
- {
- case 0x424D53FF:
- struct
- {
- [
- SMBCommand = UINT8(FrameData, FrameOffset + 4),
- SMBResponse = ( ( UINT8(FrameData, FrameOffset + 9) & 0x80 ) == 0x80 ) ? true : false,
- SMBTID = UINT16(FrameData, FrameOffset + 24),
- SMBPID = IPX.SMB ? UINT16(FrameData, FrameOffset + 26) : (UINT16(FrameData, FrameOffset + 12)<<16) + UINT16(FrameData, FrameOffset + 26),
- SMBUID = UINT16(FrameData, FrameOffset + 28),
- SMBMID = UINT16(FrameData, FrameOffset + 30)
- ]
- [Property.SMBIsRawData = (SMBCommand == 0x1A || SMBCommand == 0x1D)]
- switch
- {
- case SMBResponse /* SMB Response */
- && SMBCommand == 0x32: /* SMB Transaction2 */
- [
- conversation.SMBSubCommandPerFrame$[FrameNumber] = conversation.SMBSubCommandTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],//get from SMB parent protocol conversation
- SMBSubCommand = conversation.SMBSubCommandPerFrame$[FrameNumber],
- conversation.TransactRequestSetupCountPerFrame$[FrameNumber] = conversation.SMBTransactSetupCount$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- TransactRequestSetupCount = conversation.TransactRequestSetupCountPerFrame$[FrameNumber],
- conversation.SMBTransInfoLevelPerFrame$[FrameNumber] = conversation.SMBTransact2InformationLevelTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],//get from SMB conversation
- TransInformationLevel = conversation.SMBTransInfoLevelPerFrame$[FrameNumber],//get from SMB parent protocol conversation
- conversation.SMBFindResumeKeyRequestedPerFrame$[FrameNumber] = conversation.SMBTransact2FindResumeKey$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- FindResumeKeyRequested = conversation.SMBFindResumeKeyRequestedPerFrame$[FrameNumber],
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, conversation.SMBFileIDCountTable$[FrameNumber])],
- conversation.SMBParameterCountPerFrame$[FrameNumber] = conversation.SMBParaCountTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBParameterCount = conversation.SMBParameterCountPerFrame$[FrameNumber]
- ]
- _struct _GetSMBTrans2ResponseProperties{};
- }
- //
- // BuildConversation for SMB Transaction2 Response 0x01, 0x02, 0x05, 0x07, 0x08, 0x10, 0x03, 0x0F, 0x04
- //
- switch
- {
- case !conversation.SMB.Id /* Do NOT have a SMB Conversation */
- && SMBResponse /* SMB Response */
- && SMBCommand == 0x32 /* SMB Transaction2 */
- && (SMBSubCommand == 0x01
- || SMBSubCommand == 0x02
- || SMBSubCommand == 0x05
- || SMBSubCommand == 0x07
- || SMBSubCommand == 0x08
- || SMBSubCommand == 0x10
- ||(SMBSubCommand == 0x03 && SMBParameterCount == 0x04)
- ||(SMBSubCommand == 0x0F && SMBParameterCount == 0x04)
- || SMBSubCommand == 0x04
- ):
- [
- BuildConversationWithParent(
- (SMBSubCommand == 0x07 || SMBSubCommand == 0x08|| SMBSubCommand == 0x03|| SMBSubCommand == 0x04|| SMBSubCommand == 0x0F)
- ? (Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount))
- : MakeByteArray(SMBTID, SMBPID, SMBMID)
- ),
- Post.Conversation.ConversationDescription
- = (SMBSubCommand == 0x07 || SMBSubCommand == 0x08|| SMBSubCommand == 0x03|| SMBSubCommand == 0x04|| SMBSubCommand == 0x0F)
- ? (Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID))
- : FormatString("(TID:0x%04X, PID:0x%04X, MID:0x%04X) ConvID = %d", SMBTID, SMBPID, SMBMID, ConvID),
- conversation.SMBSubCommandPerFrame$[FrameNumber] = conversation.SMB.SMBSubCommandTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],//get from SMB parent protocol conversation
- SMBSubCommand = conversation.SMBSubCommandPerFrame$[FrameNumber],
- conversation.SMBTransInfoLevelPerFrame$[FrameNumber] = conversation.SMBTransact2InformationLevelTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],//get from SMB conversation
- TransInformationLevel = conversation.SMBTransInfoLevelPerFrame$[FrameNumber]
- ]
- _struct _BuildConversation{};
- }
- //
- // PaylaodStart for SMB Transaction2 Response 0x01, 0x02, 0x05, 0x07, 0x10
- //
- switch
- {
- case (UINT8( Framedata, Offset + 9 ) & 0x80) == 0x80 /* SMB Response */
- && !((UINT32(FrameData, FrameOffset + 5) & 0x0000FFFF) == 0x00000005) /* NOT STATUS_BUFFER_OVERFLOW */
- && UINT16(FrameData, FrameOffset + 43) == 0 /* ParamDisplacement == 0 */
- && UINT16(FrameData, FrameOffset + 49) == 0 /* DataDisplacement == 0 */
- && SMBCommand == 0x32 /* SMB Transaction2 */
- && (SMBSubCommand == 0x01
- || SMBSubCommand == 0x02
- || SMBSubCommand == 0x05
- || SMBSubCommand == 0x07
- || SMBSubCommand == 0x10
- ):
- [PayloadStart(
- NetworkDirection, /* direction */
- 0, /* id */
- UINT16(FrameData, FrameOffset + 49), //0 /* sequence token */
- UINT16(FrameData, FrameOffset + 45), //DataOffset /* next sequence token */
- 0, //UINT16(FrameData, FrameOffset + 35) + UINT16(FrameData, FrameOffset + 47), /* total payload length: TotalDataCount + DataOffset*/
- 1, /* is first */
- UINT16(FrameData, FrameOffset + 35) == UINT16(FrameData, FrameOffset + 45), /* is last */
- RssmblyIndStartBit+RssmblyIndEndBit+RssmblySequenceBit+RssmblySelfBit,
- 0x0000, /* Properties... */
- SMBResponse,
- 0x0000,
- ""
- )
- ]
- _struct _PayloadStart{};
- }
- }
- }
- [
- SMBComSummary = "",
- SMBComPramSummary = ""
- ]
- switch(UINT32(FrameData, FrameOffset))
- {
- case 0x424D53FF:
- AsciiString(4) Protocol = AsciiString(frameData,offset +1, 3);
- default:
- // 0x1A - SMB_COM_READ_RAW, 0x1D - SMB_COM_WRITE_RAW
- [
- Property.TCPAckNumber = Property.TCPAckNumber ? Property.TCPAckNumber : Conversation.TCPAckToSeqMap$[MakeByteArray(Property.NetworkDirection,Property.TCPSeqNumber)],
- Conversation.TCPAckToSeqMap$[MakeByteArray(Property.NetworkDirection,Property.TCPSeqNumber)] = Property.TCPAckNumber,
- Property.SMBCommand = Conversation.SMBReadRawFileID$[Property.TCPAckNumber] ? 0x1A : 0x1D,
- Property.SMBResponse = Property.SMBCommand == 0x1A ? True : False,
- Property.SMBFileID = Property.SMBCommand == 0x1A ? Conversation.SMBReadRawFileID$[Property.TCPAckNumber] : Conversation.SMBWriteRawFileID$[Property.TCPSeqNumber],
- Property.SMBFileName = Property.SMBCommand == 0x1A ? Conversation.SMBReadRawFileName$[Property.TCPAckNumber] : Conversation.SMBWriteRawFileName$[Property.TCPSeqNumber],
- Property.SMBFIDCount = Property.SMBCommand == 0x1A ? Conversation.SMBReadRawFileIdCount$[Property.TCPAckNumber] : Conversation.SMBWriteRawFileIDCount$[Property.TCPSeqNumber],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComSummary = FormatString("; %s, FID = 0x%04X%s", SMBCommandTable(SMBCommand), SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- BLOB(FrameLength - FrameOffset) RawData;
- }
-
-
- [
- SMBAndXOffset = 32,
- SMBCommand
- ]
- UINT8 Command = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- //#
- //# becaust the byteOrder of SMB is LittleEndian, so UINT8( Framedata, Offset + 6 ) is the Most significant Byte of FLAGS2
- //# and UINT8( Framedata, Offset + 6 ) & 0x40 refer to FLAGS2.CODES
- //#
- switch (UINT8( Framedata, Offset + 6 ) & 0x40)
- {
- case 0x40:
- [SMBStatus]
- UINT32 NTStatus = FormatString("0x%X, Facility = %s, Severity = %s, Code = %s",
- this,
- SMBNTStatusFacilityValueTable(Facility),
- SMBNTStatusSeverityValueTable(Severity),
- SMBNTStatusCodeTable(Facility, Severity, Code)
- )
- {
- UINT32 Code:16 = FormatString(" (%s) %s", this.ToBitString,
- SMBNTStatusCodeTable(UINT16(FrameData, FrameOffset+2) & 0x1FFF, /* Facility */
- (UINT16(FrameData, FrameOffset+2) & 0xE000) >> 14, /* Severity */
- this) /* Code */
- );
- UINT32 Facility:13 = FormatString("(%s) %s", this.ToBitString, SMBNTStatusFacilityValueTable(this));
- UINT32 Customer:1 = FormatString("(%s) %s", this.ToBitString, this ? "Customer Defined" : "NOT Customer Defined");
- [SMBNTstatusSeverity,
- SMBErrorSummary = (Severity != 0) ? FormatString(" - NT Status: %s - %s, Code = %s",
- SMBNTStatusFacilityTable(Facility),
- SMBNTStatusSeverityTable(Severity),
- SMBNTStatusCodeTable(Facility, Severity, Code)
- )
- : ""]
- UINT32 Severity:2 = FormatString("(%s) %s", this.ToBitString, SMBNTStatusSeverityValueTable(this));
- };
- case 0x00:
- [SMBStatus]
- struct DOSError = ErrorClass > 0 ? ErrorClass.ToString + " - " + Error.ToString : ErrorClass.ToString
- {
- [SMBErrorClass]
- UINT8 ErrorClass = SMBErrorClassTable(this);
- UINT8 Reserved;
- [SMBErrorSummary = ErrorClass > 0 ? " - " + ErrorClass.ToString + ", " + Error.ToString : ""]
- UINT16 Error = SMBErrorCodesTable(ErrorClass, this);
- };
- };
-
- struct SMBHeader = FormatString("%s, TID: 0x%04X, PID: 0x%04X, UID: 0x%04X, MID: 0x%04X", SMBResponse?"Response":"Command", SMBTID, SMBPID, SMBUID, SMBMID)
- {
- UINT8 Flags
- {
- UINT8 LockAndRead:1 = FormatString(" (%s) %s (SMB_FLAGS_LOCK_AND_READ_OK)", this.ToBitString, this ? "LOCK_AND_READ and WRITE_AND_UNLOCK supported (Obsolete)" : "LOCK_AND_READ and WRITE_AND_UNLOCK NOT supported (Obsolete)");
- UINT8 NoAck:1 = FormatString(" (%s) %s (SMB_FLAGS_SEND_NO_ACK[only applicable when SMB transport is NetBIOS over IPX])", this.ToBitString, this ? "An ACK response is NOT needed" : "An ACK response is needed");
- UINT8 Reserved_bit2:1 = FormatString(" (%s) %s (Must Be Zero)", this.ToBitString, "Reserved");
- UINT8 CaseInsensitive:1 = FormatString("(%s) %s (SMB_FLAGS_CASE_INSENSITIVE)", this.ToBitString, this ? "SMB paths are case-insensitive" : "SMB paths are case-sensitive");
- UINT8 Canonicalized:1 = FormatString(" (%s) %s (SMB_FLAGS_CANONICALIZED_PATHS)", this.ToBitString, this ? "Canonicalized File and pathnames (Obsolete)" : "No canonicalized File and pathnames (Obsolete)");
- UINT8 Oplock:1 = FormatString(" (%s) %s (SMB_FLAGS_OPLOCK)", this.ToBitString, this ? "Oplocks supported for OPEN, CREATE & CREATE_NEW (Obsolete)" : "Oplocks NOT supported for OPEN, CREATE & CREATE_NEW (Obsolete)");
- UINT8 OplockNotify:1 = FormatString(" (%s) %s (SMB_FLAGS_OPLOCK_NOTIFY_ANY)", this.ToBitString, this ? "Notifications supported for OPEN, CREATE & CREATE_NEW (Obsolete)" : "Notifications NOT supported for OPEN, CREATE & CREATE_NEW (Obsolete)");
- [SMBResponse]
- UINT8 FromServer:1 = FormatString(" (%s) %s (SMB_FLAGS_SERVER_TO_REDIR)", this.ToBitString, this ? "Response - SMB is being sent from the server" : "Command - SMB is being sent from the client");
- };
- UINT16 Flags2
- {
- UINT16 KnowsLongFiles:1 = FormatString(" (%s) %s (SMB_FLAGS2_KNOWS_LONG_NAMES)", this.ToBitString, this ? "Understands Long File Names" : "Understands only DOS 8.3 filenames");
- UINT16 KnowsEas:1 = FormatString(" (%s) %s (SMB_FLAGS2_KNOWS_EAS)", this.ToBitString, this ? "Understands extended attributes" : "Does NOT understand extended attributes");
- UINT16 SmbSecuritySignature:1 = FormatString(" (%s) %s (SMB_FLAGS2_SMB_SECURITY_SIGNATURE)", this.ToBitString, this ? "Security signatures enabled" : "Security signatures NOT enabled");
- UINT16 Compressed:1 = FormatString(" (%s) %s (SMB_FLAGS2_COMPRESSED)", this.ToBitString, this ? "Compression Enabled for REQ_NT_WRITE_ANDX and RESP_READ_ANDX" : "Compression Disabled for REQ_NT_WRITE_ANDX and RESP_READ_ANDX");
- UINT16 SecuritySignatureRequired:1 = FormatString("(%s) %s (SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED)", this.ToBitString, this ? "Security Signatures are required" : "Security Signatures are NOT required");
- UINT16 Reserved_bit5:1 = FormatString(" (%s) %s (Must Be Zero)", this.ToBitString, "Reserved");
- UINT16 IsLongName:1 = FormatString(" (%s) %s (SMB_FLAGS2_IS_LONG_NAME)", this.ToBitString, this ? "Use Long File Names" : "DO NOT use Long File Names");
- UINT16 Reserved_bits7_9:3 = FormatString(" (%s) %s (Must Be Zero)", this.ToBitString, "Reserved");
- [Property.SmbHeaderReparsePath]
- UINT16 ReparsePath:1 = FormatString(" (%s) %s (SMB_FLAGS2_REPARSE_PATH)", this.ToBitString, this ? "Reparse path" : "NOT a Reparse path");
- [ExtensionSecurity]
- UINT16 ExtendedSecurity:1 = FormatString(" (%s) %s (SMB_FLAGS2_EXTENDED_SECURITY)", this.ToBitString, this ? "Aware of extended security" : "NOT aware of extended security");
- UINT16 Dfs:1 = FormatString(" (%s) %s (SMB_FLAGS2_DFS)", this.ToBitString, this ? "Filenames use DFS namespace" : "NO DFS namespace");
- UINT16 Paging:1 = FormatString(" (%s) %s (SMB_FLAGS2_PAGING_IO)", this.ToBitString, this ? "Read operation allowed with only execute permission (Paging IO)" : "Read operation will NOT be permitted unless user has permission (NO Paging IO)");
- UINT16 NTStatus:1 = FormatString(" (%s) %s (SMB_FLAGS2_NT_STATUS)", this.ToBitString, this ? "Using 32-bit NT status error codes" : "Using DOS-style error codes");
- [SMBUnicode]
- UINT16 Unicode:1 = FormatString(" (%s) %s (SMB_FLAGS2_UNICODE)", this.ToBitString, this ? "Using UNICODE strings" : "Using ASCII strings");
- };
- // The security signature field and PidHigh was introduced for NT LM 0.12, so earlier dialects did not have these fields
- // Since filtering for SMB captures is very common, we will not differentiate the negotiated versions
- [Property.PIDHigh]
- UINT16 PIDHigh;
- Struct SecurityFeatures
- {
- Switch
- {
- Case IPX.SMB:
- Struct
- {
- UINT32 Key;
- UINT16 Cid;
- UINT16 SequenceNumber;
- }
- Default: BLOB(8) SecuritySignature = FormatString("0x%I64X", this);
- }
- }
- UINT16 Unused;
- [SMBTID]
- UINT16 TreeID;
- [SMBPID = Property.PIDHigh*65536 + ProcessID]
- UINT16 ProcessID;
- [SMBUID]
- UINT16 UserID;
- [SMBMID]
- UINT16 MultiplexID;
- };//# End of struct SMBHeader
-
- switch
- {
- //
- // this is a Error message with no Data
- //
- case UINT8( Framedata, Offset ) == 0 && (SMBErrorClass > 0 || SMBNTstatusSeverity == 3) && !(SMBCommand == 0x29) && !(SMBCommand == 0x2A):
- [
- conversation.SMBSubCommandPerFrame$[FrameNumber] = conversation.SMBSubCommandTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBSubCommand = conversation.SMBSubCommandPerFrame$[FrameNumber],
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileNamePerFrame$[FrameNumber] = conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)]
- ? conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] /*If this is a response of create/open...*/
- : conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, conversation.SMBFileIDCountTable$[FrameNumber])], /*Get File Name using File ID*/
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Property.SMBFileName = conversation.SMBFileNamePerFrame$[FrameNumber],
- Property.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- SMBComSummary = "; " + SMBCommandTable(SMBCommand),
- SMBComSummary = ( SMBCommand == 0x32 || SMBCommand == 0xA0 ) ? SMBComSummary + ", " + SMBComSubCommandTable(SMBCommand, SMBSubCommand) : SMBComSummary,
- Post.SMBComSummary = SMBComSummary + SMBComPramSummary
- ]
- struct ErrorMessage
- {
- UINT8 WordCount;
- switch
- {
- case SMBFileID || Property.SMBFileName:
- [
- SMBCommand = 0xFF,
- SMBComPramSummary = (!conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] && SMBFileID) ? FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "") : ""
- ]
- _struct BuildConversationForErrorMessage
- {
- UINT16 ByteCount;
- switch
- {
- case !conversation.SMB.Id:
- [ BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID)]
- struct{};
- }
- }
- default:
- [SMBCommand = 0xFF]
- UINT16 ByteCount;
- }
- switch
- {
- case FrameOffset < FrameLength:
- BLOB(FrameLength - FrameOffset) UnknownData;
- }
- };
- default:
- [Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber]]
- While /*SMBCommands*/[ frameOffset < frameLength && SMBCommand <> 0xFF && frameOffset == ProtocolOffset + SMBAndXOffset ]
- {
- [
- SMBComSummary = SMBComSummary + "; " + SMBCommandTable(SMBCommand),
- Post.SMBComSummary = SMBComSummary + SMBComPramSummary
- ]
- switch(SMBResponse)
- {
- case 0:
- // Request
- switch(SMBCommand)
- {
- case 0x00: SMBComCreateDirectoryRequest CCreateDirectory;
- case 0x01: SMBComDeleteDirectoryRequest CDeleteDirectory;
- case 0x02: SMBComOpenRequest COpen;
- case 0x03: SMBComCreateRequest CCreate;
- case 0x04: SMBComCloseRequest CClose;
- case 0x05: SMBComFlushRequest CFlush;
- case 0x06: SMBComDeleteRequest CDelete;
- case 0x07: SMBComRenameRequest CRename;
- case 0x08: SMBComQueryInformationRequest CQueryInformation;
- case 0x09: SMBComSetInformationRequest CSetInformation;
- case 0x0A: SMBComReadRequest CRead;
- case 0x0B: SMBComWriteRequest CWrite;
- case 0x0C: SMBComLockByteRangeRequest CLockByteRange;
- case 0x0D: SMBComUnlockByteRangeRequest CUnlockByteRange;
- case 0x0E: SMBComCreateTemporaryRequest CCreateTemporary;
- case 0x0F: SMBComCreateNewRequest CCreateNew;
- case 0x10: SMBComCheckDirectoryRequest CCheckDirectory;
- case 0x11: SMBComProcessExitRequest CProcessExit;
- case 0x12: SMBComSeekRequest CSeek;
- case 0x13: SMBComLockAndReadRequest CLockAndRead;
- case 0x14: SMBComWriteRequestAndUnlockRequest CWriteAndUnlock;
- case 0x1A: SMBComReadRequestRawRequest CReadRaw;
- case 0x1B: SMBComReadRequestMPXRequest CReadMPX;
- case 0x1C: SMBComReadRequestMPXSecondaryRequest CReadMPXSecondary;
- case 0x1D: SMBComWriteRequestRawRequest CWriteRaw;
- case 0x1E: SMBComWriteRequestMPXRequest CWriteMPX;
- case 0x1F: SMBComWriteRequestMPXSecondaryRequest CWriteMPXSecondary;
- case 0x22: SMBComSetInformationRequest2 CSetInformation2;
- case 0x23: SMBComQueryInformationRequest2 CQueryInformation2;
- case 0x24: SMBComLockingAndXRequest CLockingAndX;
- case 0x25: SMBComTransactionRequest CTransaction;
- case 0x26: SMBComTransactionSecondaryRequest CTransactionSecondary;
- case 0x27: SMBComIOCTLPrimaryRequest CIOCTL;
- case 0x28: SMBComIOCTLSecondaryRequest CSecondaryIOCTL;
- case 0x29: SMBComCopyRequest CCopy;
- case 0x2A: SMBComMoveRequest CMove;
- case 0x2B: SMBComEchoRequest CEcho;
- case 0x2C: SMBComWriteRequestAndCloseRequest CWriteAndClose;
- case 0x2D: SmbComOpenAndxClientRequest COpenAndX;
- case 0x2E: SMBComReadRequestAndXRequest CReadAndX;
- case 0x2F: SMBComWriteRequestAndXRequest CWriteAndX;
- case 0x31: SMBComCloseAndTreeDisconnectedRequest CCloseAndTreeDisconnected;
- case 0x32: SMBComTransaction2Request CTransaction2;
- case 0x33: SMBComTransaction2SecondaryRequest CTransaction2Secondary;
- case 0x34: SMBComFindClose2Request CFindClose2;
- case 0x35: SMBComFindNotifyCloseRequest CFindNotifyClose;
- case 0x70: SMBComTreeConnectRequest CTreeConnect;
- case 0x71: SMBComTreeDisconnectRequest CTreeDisconnect;
- case 0x72: SMBComNegotiateRequest CNegotiate;
- case 0x73: switch(UINT8( Framedata, Offset ))
- {
- case 10:
- switch (ExtensionSecurity)
- {
- case 0: SmbComSessionSetupAndxClientRequest CSessionSetupAndXRequest;
- case 1: SmbComSessionSetupAndxClientRequestExtension CSessionSetupAndXRequestExtension;
- }
- case 12: SMBComSessionSetupAndXNTLMESSRequest CSessionSetupAndXNTLMESS;
- case 13: SMBComSessionSetupAndXNTLMNoESSRequest CSessionSetupAndXNTLMNoESS;
- default:
- switch (ExtensionSecurity)
- {
- case 0: SmbComSessionSetupAndxClientRequest CSessionSetupAndXRequest;
- case 1: SmbComSessionSetupAndxClientRequestExtension CSessionSetupAndXRequestExtension;
- }
- }
- case 0x74: SMBComLogoffAndXRequest CLogoffAndX;
- case 0x75: SmbComTreeConnectAndxClientRequest CTreeConnectAndX;
- case 0x80: SMBComQueryInformationDiskRequest CQueryInformationDisk;
- case 0x81: SMBComSearchRequest CSearch;
- case 0x82: SMBComFindRequest CFind;
- case 0x83: SMBComFindUniqueRequest CFindUnique;
- case 0x84: SMBComFindCloseRequest CFindClose;
- case 0xA0: SMBComNTTransactionRequest CNTTransaction;
- case 0xA1: SMBComNTTransactionSecondaryRequest CNTTransactSecondary;
- case 0xA2: SMBRequestNTCreateAndX CNTCreateAndX;
- case 0xA4: SMBComNTCancelRequest CNTCancel;
- case 0xA5: SMBComNTRenameRequest CNTRename;
- case 0xC0: SMBComOpenPrintFileRequest COpenPrintFile;
- case 0xC1: SMBComWriteRequestPrintFileRequest CWritePrintFile;
- case 0xC2: SMBComClosePrintFileRequest CClosePrintFile;
- case 0xC3: SMBComGetPrintQueueRequest CGetPrintQueue;
- case 0xD0: SMBComSendSingleMessageRequest CSendSingleMessage;
- case 0xD1: SMBComSendBroadcastMessageRequest CSendBroadcastMessage;
- case 0xD2: SMBComForwardUserNameRequest CForwardUserName;
- case 0xD3: SMBComCancelForwardRequest CCancelForward;
- case 0xD4: SMBComGetMachineNameRequest CGetMachineName;
- case 0xD5: SMBComSendStartOfMultiBlockMessageRequest CSendStartOfMultiBlockMessage;
- case 0xD6: SMBComSendEndOfMultiBlockMessageRequest CSendEndOfMultiBlockMessage;
- case 0xD7: SMBComSendTextOfMultiBlockMessageRequest CSendTextOfMultiBlockMessage;
- case 0xFE: Blob(FrameLength-FrameOffset) SMBCOMINVALIDData;
- //NOT implemented
- //0xD8 SMBreadbulk
- //0xD9 SMBwritebulk
- //0xDA SMBwritebulkdata
-
- default: ReportParserError(ParserErrorProtocolClassWindows, "SMB", FormatString("Unknown SMB Command, Command = 0x%X", SMBCommand)) SMBCommandError;
- }
- case 1:
- // Response
- switch(SMBCommand)
- {
- case 0x00: SMBComCreateDirectoryResp RCreateDirectory;
- case 0x01: SMBComDeleteDirectoryResp RDeleteDirectory;
- case 0x02: SMBComOpenResp ROpen;
- case 0x03: SMBComCreateResp RCreate;
- case 0x04: SMBComCloseResp RClose;
- case 0x05: SMBComFlushResp RFlush;
- case 0x06: SMBComDeleteResp RDelete;
- case 0x07: SMBComRenameResp RRename;
- case 0x08: SMBComQueryInformationResp RQueryInformation;
- case 0x09: SMBComSetInformationResp RSetInformation;
- case 0x0A: SMBComReadResp RRead;
- case 0x0B: SMBComWriteResp RWrite;
- case 0x0C: SMBComLockByteRangeResp RLockByteRange;
- case 0x0D: SMBComUnlockByteRangeResp RUnlockByteRange;
- case 0x0E: SMBComCreateTemporaryResp RCreateTemporary;
- case 0x0F: SMBComCreateNewResp RCreateNew;
- case 0x10: SMBComCheckDirectoryResp RCheckDirectory;
- case 0x11: SMBComProcessExitResp RProcessExit;
- case 0x12: SMBComSeekResp RSeek;
- case 0x13: SMBComLockAndReadResp RLockAndRead;
- case 0x14: SMBComWriteAndUnlockResp RWriteAndUnlock;
- case 0x1A: SMBComReadRawResp RReadRaw;
- case 0x1B:
- case 0x1C: SMBComReadMPXResp RReadMPX;
- case 0x1D: SMBComWriteRawResp RWriteRaw;
- case 0x1E: SMBComWriteMPXResp RWriteMPX;
- case 0x20: SMBComWriteCompleteResp RWriteComplete;
- case 0x22: SMBComSetInformation2Resp RSetInformation2;
- case 0x23: SMBComQueryInformation2Resp RQueryInformation2;
- case 0x24: SMBComLockingAndXResp RLockingAndX;
- case 0x25:
- case 0x26:
- switch(UINT8( Framedata, Offset ))
- {
- case 0: SMBComInterimTransactionResp RInterimTransaction;
- default: SMBComTransactionResp RTransaction;
- }
- case 0x27:
- case 0x28:
- switch(UINT8( Framedata, Offset ))
- {
- case 0 : SMBComInterimResponseIOCTL RInterimIOCTL;
- case 8 : SMBComIOCTLResp RIOCTL;
- }
- case 0x29: SMBComCopyResp RCopy;
- case 0x2A: SMBComMoveResp RMove;
- case 0x2B: SMBComEchoResp REcho;
- case 0x2C: SMBComWriteAndCloseResp RWriteAndClose;
- case 0x2D:
- switch(UINT8( Framedata, Offset ))
- {
- case 19: SmbComOpenAndxServerResponseExtension ROpenAndXExtension;
- default: SmbComOpenAndxServerResponse ROpenAndX;
- }
- case 0x2E: SMBComReadAndXResp RReadAndX;
- case 0x2F: SMBComWriteAndXResp RWriteAndX;
- case 0x31: SMBComCloseAndTreeDisconnectedResp RCloseAndTreeDisconnected;
- case 0x32:
- case 0x33: switch(UINT8( Framedata, Offset ))
- {
- case 0: SMBComInterimTransaction2Resp RTransaction2Interim;
- default: SMBComTransaction2Resp RTransaction2;
- }
- case 0x34: SMBComFindClose2Resp RFindClose2;
- case 0x35: SMBComFindNotifyCloseResp RFindNotifyClose;
- case 0x70: SMBComTreeConnectResp RTreeConnect;
- case 0x71: SMBComTreeDisconnectResp RTreeDisconnect;
- case 0x72:switch(UINT8( Framedata, Offset ))
- {
- case 1: SMBComNegotiateDialectUnknownResp RNegotiateDialectUnknown;
- case 13: SmbComNegotiateResponseLM21 RNegotiateDialectLANMAN21; // LAN Manager 2.1
- case 17: SmbComNegotiateResp RNegotiateDialectNTLM; // NT LAN Manager
- default:
- ReportParserError(ParserErrorProtocolClassWindows, "SMB", "Unknown SMB Negotiate Response") SMBNegotiateError;
- }
- case 0x73: switch(UINT8( Framedata, Offset ))
- {
- case 3: SmbComSessionSetupAndxServerResponse RSessionSetupAndXPriorNTLM;
- case 4: SmbComSessionSetupAndxServerResponseExtension RSessionSetupAndXNTLMAll;
- default: SmbComSessionSetupAndxServerResponse RSessionSetupAndXDefault;
- }
- case 0x74: SMBComLogoffAndX RLogoffAndX;
- case 0x75: switch(UINT8( Framedata, Offset ))
- {
- case 2: SMBComTreeConnectAndXBeforeLANMAN2Resp RTreeConnectAndXBeforeLANMAN2;
- case 3: SMBComTreeConnectAndXAfterLANMAN2Resp RTreeConnectAndXAfterLANMAN2;
- case 7: SmbComTreeConnectAndxServerResponseExtension RTreeConnectAndXExtended;
- default: SMBComTreeConnectAndXAfterLANMAN2Resp RTreeConnectAndXDefault;
- }
- case 0x80: SMBComQueryInformationDiskResp RQueryInformationDisk;
- case 0x81: SMBComSearchResp RSearch;
- case 0x82: SMBComFindResp RFind;
- case 0x83: SMBComFindUniqueResp RFindUnique;
- case 0x84: SMBComFindCloseResp RFindClose;
- case 0xA0:
- case 0xA1: switch(UINT8( Framedata, Offset ))
- {
- case 0: SMBComInterimResponseNTTransaction RNTTransactionInterim;
- default: SMBComNTTransactionResp RNTTransaction;
- }
- case 0xA2: SMBResponseNTCreateAndX RNTCreateAndX;
- case 0xA5: SMBComNTRenameResp RNTRename;
- case 0xC0: SMBComOpenPrintFileResp ROpenPrintFile;
- case 0xC1: SMBComWritePrintFileResp RWritePrintFile;
- case 0xC2: SMBComClosePrintFileResp RClosePrintFile;
- case 0xC3: SMBComGetPrintQueueResp RGetPrintQueue;
- case 0xD0: SMBComSendSingleMessageResp RSendSingleMessage;
- case 0xD2: SMBComForwardUserNameResp RForwardUserName;
- case 0xD3: SMBComCancelForwardResp RCancelForward;
- case 0xD4: SMBComGetMachineNameResp RGetMachineName;
- case 0xD5: SMBComSendStartOfMultiBlockMessageResp RSendStartOfMultiBlockMessage;
- case 0xD6: SMBComSendEndOfMultiBlockMessageResp RSendEndOfMultiBlockMessage;
- case 0xD7: SMBComSendTextOfMultiBlockMessageResp RSendTextOfMultiBlockMessage;
- default: ReportParserError(ParserErrorProtocolClassWindows, "SMB", FormatString("Unknown SMB Command, Command = 0x%X", SMBCommand)) SMBCommandError;
- }
- default: ReportParserError(ParserErrorProtocolClassWindows, "SMB", "NOT Request or Response") SMBReqResError;
- }
- }
- }
- }
-
- Table SMBFormatNumber(format, IsLarge, value)
- {
- switch
- {
- case IsLarge && format == "%u": FormatString("%I64u", value);
- case IsLarge && format == "%d": FormatString("%I64d", value);
- case IsLarge && format == "%x": FormatString("%I64x", value);
- case IsLarge && format == "%X": FormatString("%I64X", value);
- case format == "%u": FormatString("%u", value);
- case format == "%d": FormatString("%d", value);
- case format == "%x": FormatString("%x", value);
- case format == "%X": FormatString("%X", value);
- default: FormatString(format, value);
- }
- }
-
- /*
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/hh/kmarch/Other_2c5642f4-2661-4b69-b503-da1e92ab0db7.xml.asp
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/csalpha98/html/5.1.4_status_values_and_exception_codes.asp
- smbtab.c line 1756 ~
- format of 32 bit NT status
- 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
- 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
- +---+-+-------------------------+-------------------------------+
- |Sev|C| Facility | Code |
- +---+-+-------------------------+-------------------------------+
- */
-
- Table SMBNTStatusSeverityTable(Severity)
- {
- switch(Severity)
- {
- case 0: "Success";
- case 1: "Informational";
- case 2: "Warning";
- case 3: "Error";
- default: "Unknown Severity";
- }
- }
-
- Table SMBNTStatusSeverityValueTable(Severity)
- {
- switch(Severity)
- {
- case 0: "STATUS_SEVERITY_SUCCESS";
- case 1: "STATUS_SEVERITY_INFORMATIONAL";
- case 2: "STATUS_SEVERITY_WARNING";
- case 3: "STATUS_SEVERITY_ERROR";
- default: "Unknown Severity";
- }
- }
-
- Table SMBNTStatusFacilityTable(Facility)
- {
- switch(Facility)
- {
- case 0: "System";
- case 2: "Rpc Runtime";
- case 3: "Rpc Stubs";
- case 4: "Io Error Code";
- case 10: "Terminal Server";
- case 16: "Usb Error Code";
- case 17: "Hid Error Code";
- case 18: "Firewire Error Code";
- case 19: "Cluster Error Code";
- case 20: "Acpi Error Code";
- case 21: "Sxs Error Code";
- default: "Unknown Facility";
- }
- }
-
- Table SMBNTStatusFacilityValueTable(Facility)
- {
- switch(Facility)
- {
- case 0: "FACILITY_SYSTEM";
- case 2: "FACILITY_RPC_RUNTIME";
- case 3: "FACILITY_RPC_STUBS";
- case 4: "FACILITY_IO_ERROR_CODE";
- case 10: "FACILITY_TERMINAL_SERVER";
- case 16: "FACILITY_USB_ERROR_CODE";
- case 17: "FACILITY_HID_ERROR_CODE";
- case 18: "FACILITY_FIREWIRE_ERROR_CODE";
- case 19: "FACILITY_CLUSTER_ERROR_CODE";
- case 20: "FACILITY_ACPI_ERROR_CODE";
- case 21: "FACILITY_SXS_ERROR_CODE";
- default: "Unknown Facility";
- }
- }
-
- Table SMBNTStatusSystemSuccessCodeTable(code)
- {
- switch(code)
- {
- case 0x0000: "STATUS_SUCCESS";
- case 0x0001: "STATUS_WAIT_1";
- case 0x0002: "STATUS_WAIT_2";
- case 0x0003: "STATUS_WAIT_3";
- case 0x003F: "STATUS_WAIT_63";
- case 0x0080: "STATUS_ABANDONED_WAIT_0";
- case 0x00BF: "STATUS_ABANDONED_WAIT_63";
- case 0x00C0: "STATUS_USER_APC";
- case 0x0100: "STATUS_KERNEL_APC";
- case 0x0101: "STATUS_ALERTED";
- case 0x0102: "STATUS_TIMEOUT";
- case 0x0103: "STATUS_PENDING";
- case 0x0104: "STATUS_REPARSE";
- case 0x0105: "STATUS_MORE_ENTRIES";
- case 0x0106: "STATUS_NOT_ALL_ASSIGNED";
- case 0x0107: "STATUS_SOME_NOT_MAPPED";
- case 0x0108: "STATUS_OPLOCK_BREAK_IN_PROGRESS";
- case 0x0109: "STATUS_VOLUME_MOUNTED";
- case 0x010A: "STATUS_RXACT_COMMITTED";
- case 0x010B: "STATUS_NOTIFY_CLEANUP";
- case 0x010C: "STATUS_NOTIFY_ENUM_DIR";
- case 0x010D: "STATUS_NO_QUOTAS_FOR_ACCOUNT";
- case 0x010E: "STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED";
- case 0x0110: "STATUS_PAGE_FAULT_TRANSITION";
- case 0x0111: "STATUS_PAGE_FAULT_DEMAND_ZERO";
- case 0x0112: "STATUS_PAGE_FAULT_COPY_ON_WRITE";
- case 0x0113: "STATUS_PAGE_FAULT_GUARD_PAGE";
- case 0x0114: "STATUS_PAGE_FAULT_PAGING_FILE";
- case 0x0115: "STATUS_CACHE_PAGE_LOCKED";
- case 0x0116: "STATUS_CRASH_DUMP";
- case 0x0117: "STATUS_BUFFER_ALL_ZEROS";
- case 0x0118: "STATUS_REPARSE_OBJECT";
- default: "Unhandled Success code";
- }
- }
-
- Table SMBNTStatusSystemInfoCodeTable(code)
- {
- switch(code)
- {
- case 0x0000: "STATUS_OBJECT_NAME_EXISTS";
- case 0x0001: "STATUS_THREAD_WAS_SUSPENDED";
- case 0x0002: "STATUS_WORKING_SET_LIMIT_RANGE";
- case 0x0003: "STATUS_IMAGE_NOT_AT_BASE";
- case 0x0004: "STATUS_RXACT_STATE_CREATED";
- case 0x0005: "STATUS_SEGMENT_NOTIFICATION";
- case 0x0006: "STATUS_LOCAL_USER_SESSION_KEY";
- case 0x0007: "STATUS_BAD_CURRENT_DIRECTORY";
- case 0x0008: "STATUS_SERIAL_MORE_WRITES";
- case 0x0009: "STATUS_REGISTRY_RECOVERED";
- case 0x000A: "STATUS_FT_READ_RECOVERY_FROM_BACKUP";
- case 0x000B: "STATUS_FT_WRITE_RECOVERY";
- case 0x000C: "STATUS_SERIAL_COUNTER_TIMEOUT";
- case 0x000D: "STATUS_NULL_LM_PASSWORD";
- case 0x000E: "STATUS_IMAGE_MACHINE_TYPE_MISMATCH";
- case 0x000F: "STATUS_RECEIVE_PARTIAL";
- case 0x0010: "STATUS_RECEIVE_EXPEDITED";
- case 0x0011: "STATUS_RECEIVE_PARTIAL_EXPEDITED";
- case 0x0012: "STATUS_EVENT_DONE";
- case 0x0013: "STATUS_EVENT_PENDING";
- case 0x0014: "STATUS_CHECKING_FILE_SYSTEM";
- case 0x0015: "STATUS_FATAL_APP_EXIT";
- case 0x0016: "STATUS_PREDEFINED_HANDLE";
- case 0x0017: "STATUS_WAS_UNLOCKED";
- case 0x0018: "STATUS_SERVICE_NOTIFICATION";
- case 0x0019: "STATUS_WAS_LOCKED";
- case 0x001a: "STATUS_LOG_HARD_ERROR";
- case 0x001b: "STATUS_ALREADY_WIN32";
- default: "Unhandled Info code";
- }
- }
-
- Table SMBNTStatusSystemWarningCodeTable(code)
- {
- switch(code)
- {
- case 0x0001: "STATUS_GUARD_PAGE_VIOLATION";
- case 0x0002: "STATUS_DATATYPE_MISALIGNMENT";
- case 0x0003: "STATUS_BREAKPOINT";
- case 0x0004: "STATUS_SINGLE_STEP";
- case 0x0005: "STATUS_BUFFER_OVERFLOW";
- case 0x0006: "STATUS_NO_MORE_FILES";
- case 0x0007: "STATUS_WAKE_SYSTEM_DEBUGGER";
- case 0x0008: "STATUS_WAS_LOCKED";
- case 0x0009: "STATUS_WAS_UNLOCKED";
- case 0x000A: "STATUS_HANDLES_CLOSED";
- case 0x000B: "STATUS_NO_INHERITANCE";
- case 0x000C: "STATUS_GUID_SUBSTITUTION_MADE";
- case 0x000D: "STATUS_PARTIAL_COPY";
- case 0x000E: "STATUS_DEVICE_PAPER_EMPTY";
- case 0x000F: "STATUS_DEVICE_POWERED_OFF";
- case 0x0010: "STATUS_DEVICE_OFF_LINE";
- case 0x0011: "STATUS_DEVICE_BUSY";
- case 0x0012: "STATUS_NO_MORE_EAS";
- case 0x0013: "STATUS_INVALID_EA_NAME";
- case 0x0014: "STATUS_EA_LIST_INCONSISTENT";
- case 0x0015: "STATUS_INVALID_EA_FLAG";
- case 0x0016: "STATUS_VERIFY_REQUIRED";
- case 0x0017: "STATUS_EXTRANEOUS_INFORMATION";
- case 0x0018: "STATUS_RXACT_COMMIT_NECESSARY";
- case 0x001A: "STATUS_NO_MORE_ENTRIES";
- case 0x001B: "STATUS_FILEMARK_DETECTED";
- case 0x001C: "STATUS_MEDIA_CHANGED";
- case 0x001D: "STATUS_BUS_RESET";
- case 0x001E: "STATUS_END_OF_MEDIA";
- case 0x001F: "STATUS_BEGINNING_OF_MEDIA";
- case 0x0020: "STATUS_MEDIA_CHECK";
- case 0x0021: "STATUS_SETMARK_DETECTED";
- case 0x0022: "STATUS_NO_DATA_DETECTED";
- case 0x0023: "STATUS_REDIRECTOR_HAS_OPEN_HANDLES";
- case 0x0024: "STATUS_SERVER_HAS_OPEN_HANDLES";
- case 0x0025: "STATUS_ALREADY_DISCONNECTED";
- case 0x0026: "STATUS_LONGJUMP";
- case 0x002D: "STATUS_STOPPED_ON_SYMLINK";
- default: "Unhandled Warning code";
- }
- }
-
- Table SMBNTStatusSystemErrorCodeTable(code)
- {
- switch(code)
- {
- case 0x0001: "STATUS_UNSUCCESSFUL";
- case 0x0002: "STATUS_NOT_IMPLEMENTED";
- case 0x0003: "STATUS_INVALID_INFO_CLASS";
- case 0x0004: "STATUS_INFO_LENGTH_MISMATCH";
- case 0x0005: "STATUS_ACCESS_VIOLATION";
- case 0x0006: "STATUS_IN_PAGE_ERROR";
- case 0x0007: "STATUS_PAGEFILE_QUOTA";
- case 0x0008: "STATUS_INVALID_HANDLE";
- case 0x0009: "STATUS_BAD_INITIAL_STACK";
- case 0x000A: "STATUS_BAD_INITIAL_PC";
- case 0x000B: "STATUS_INVALID_CID";
- case 0x000C: "STATUS_TIMER_NOT_CANCELED";
- case 0x000D: "STATUS_INVALID_PARAMETER";
- case 0x000E: "STATUS_NO_SUCH_DEVICE";
- case 0x000F: "STATUS_NO_SUCH_FILE";
- case 0x0010: "STATUS_INVALID_DEVICE_REQUEST";
- case 0x0011: "STATUS_END_OF_FILE";
- case 0x0012: "STATUS_WRONG_VOLUME";
- case 0x0013: "STATUS_NO_MEDIA_IN_DEVICE";
- case 0x0014: "STATUS_UNRECOGNIZED_MEDIA";
- case 0x0015: "STATUS_NONEXISTENT_SECTOR";
- case 0x0016: "STATUS_MORE_PROCESSING_REQUIRED";
- case 0x0017: "STATUS_NO_MEMORY ;// winnt";
- case 0x0018: "STATUS_CONFLICTING_ADDRESSES";
- case 0x0019: "STATUS_NOT_MAPPED_VIEW";
- case 0x001A: "STATUS_UNABLE_TO_FREE_VM";
- case 0x001B: "STATUS_UNABLE_TO_DELETE_SECTION";
- case 0x001C: "STATUS_INVALID_SYSTEM_SERVICE";
- case 0x001D: "STATUS_ILLEGAL_INSTRUCTION";
- case 0x001E: "STATUS_INVALID_LOCK_SEQUENCE";
- case 0x001F: "STATUS_INVALID_VIEW_SIZE";
- case 0x0020: "STATUS_INVALID_FILE_FOR_SECTION";
- case 0x0021: "STATUS_ALREADY_COMMITTED";
- case 0x0022: "STATUS_ACCESS_DENIED";
- case 0x0023: "STATUS_BUFFER_TOO_SMALL";
- case 0x0024: "STATUS_OBJECT_TYPE_MISMATCH";
- case 0x0025: "STATUS_NONCONTINUABLE_EXCEPTION";
- case 0x0026: "STATUS_INVALID_DISPOSITION";
- case 0x0027: "STATUS_UNWIND";
- case 0x0028: "STATUS_BAD_STACK";
- case 0x0029: "STATUS_INVALID_UNWIND_TARGET";
- case 0x002A: "STATUS_NOT_LOCKED";
- case 0x002B: "STATUS_PARITY_ERROR";
- case 0x002C: "STATUS_UNABLE_TO_DECOMMIT_VM";
- case 0x002D: "STATUS_NOT_COMMITTED";
- case 0x002E: "STATUS_INVALID_PORT_ATTRIBUTES";
- case 0x002F: "STATUS_PORT_MESSAGE_TOO_LONG";
- case 0x0030: "STATUS_INVALID_PARAMETER_MIX";
- case 0x0031: "STATUS_INVALID_QUOTA_LOWER";
- case 0x0032: "STATUS_DISK_CORRUPT_ERROR";
- case 0x0033: "STATUS_OBJECT_NAME_INVALID";
- case 0x0034: "STATUS_OBJECT_NAME_NOT_FOUND";
- case 0x0035: "STATUS_OBJECT_NAME_COLLISION";
- case 0x0036: "STATUS_HANDLE_NOT_WAITABLE";
- case 0x0037: "STATUS_PORT_DISCONNECTED";
- case 0x0038: "STATUS_DEVICE_ALREADY_ATTACHED";
- case 0x0039: "STATUS_OBJECT_PATH_INVALID";
- case 0x003A: "STATUS_OBJECT_PATH_NOT_FOUND";
- case 0x003B: "STATUS_OBJECT_PATH_SYNTAX_BAD";
- case 0x003C: "STATUS_DATA_OVERRUN";
- case 0x003D: "STATUS_DATA_LATE_ERROR";
- case 0x003E: "STATUS_DATA_ERROR";
- case 0x003F: "STATUS_CRC_ERROR";
- case 0x0040: "STATUS_SECTION_TOO_BIG";
- case 0x0041: "STATUS_PORT_CONNECTION_REFUSED";
- case 0x0042: "STATUS_INVALID_PORT_HANDLE";
- case 0x0043: "STATUS_SHARING_VIOLATION";
- case 0x0044: "STATUS_QUOTA_EXCEEDED";
- case 0x0045: "STATUS_INVALID_PAGE_PROTECTION";
- case 0x0046: "STATUS_MUTANT_NOT_OWNED";
- case 0x0047: "STATUS_SEMAPHORE_LIMIT_EXCEEDED";
- case 0x0048: "STATUS_PORT_ALREADY_SET";
- case 0x0049: "STATUS_SECTION_NOT_IMAGE";
- case 0x004A: "STATUS_SUSPEND_COUNT_EXCEEDED";
- case 0x004B: "STATUS_THREAD_IS_TERMINATING";
- case 0x004C: "STATUS_BAD_WORKING_SET_LIMIT";
- case 0x004D: "STATUS_INCOMPATIBLE_FILE_MAP";
- case 0x004E: "STATUS_SECTION_PROTECTION";
- case 0x004F: "STATUS_EAS_NOT_SUPPORTED";
- case 0x0050: "STATUS_EA_TOO_LARGE";
- case 0x0051: "STATUS_NONEXISTENT_EA_ENTRY";
- case 0x0052: "STATUS_NO_EAS_ON_FILE";
- case 0x0053: "STATUS_EA_CORRUPT_ERROR";
- case 0x0054: "STATUS_FILE_LOCK_CONFLICT";
- case 0x0055: "STATUS_LOCK_NOT_GRANTED";
- case 0x0056: "STATUS_DELETE_PENDING";
- case 0x0057: "STATUS_CTL_FILE_NOT_SUPPORTED";
- case 0x0058: "STATUS_UNKNOWN_REVISION";
- case 0x0059: "STATUS_REVISION_MISMATCH";
- case 0x005A: "STATUS_INVALID_OWNER";
- case 0x005B: "STATUS_INVALID_PRIMARY_GROUP";
- case 0x005C: "STATUS_NO_IMPERSONATION_TOKEN";
- case 0x005D: "STATUS_CANT_DISABLE_MANDATORY";
- case 0x005E: "STATUS_NO_LOGON_SERVERS";
- case 0x005F: "STATUS_NO_SUCH_LOGON_SESSION";
- case 0x0060: "STATUS_NO_SUCH_PRIVILEGE";
- case 0x0061: "STATUS_PRIVILEGE_NOT_HELD";
- case 0x0062: "STATUS_INVALID_ACCOUNT_NAME";
- case 0x0063: "STATUS_USER_EXISTS";
- case 0x0064: "STATUS_NO_SUCH_USER";
- case 0x0065: "STATUS_GROUP_EXISTS";
- case 0x0066: "STATUS_NO_SUCH_GROUP";
- case 0x0067: "STATUS_MEMBER_IN_GROUP";
- case 0x0068: "STATUS_MEMBER_NOT_IN_GROUP";
- case 0x0069: "STATUS_LAST_ADMIN";
- case 0x006A: "STATUS_WRONG_PASSWORD";
- case 0x006B: "STATUS_ILL_FORMED_PASSWORD";
- case 0x006C: "STATUS_PASSWORD_RESTRICTION";
- case 0x006D: "STATUS_LOGON_FAILURE";
- case 0x006E: "STATUS_ACCOUNT_RESTRICTION";
- case 0x006F: "STATUS_INVALID_LOGON_HOURS";
- case 0x0070: "STATUS_INVALID_WORKSTATION";
- case 0x0071: "STATUS_PASSWORD_EXPIRED";
- case 0x0072: "STATUS_ACCOUNT_DISABLED";
- case 0x0073: "STATUS_NONE_MAPPED";
- case 0x0074: "STATUS_TOO_MANY_LUIDS_REQUESTED";
- case 0x0075: "STATUS_LUIDS_EXHAUSTED";
- case 0x0076: "STATUS_INVALID_SUB_AUTHORITY";
- case 0x0077: "STATUS_INVALID_ACL";
- case 0x0078: "STATUS_INVALID_SID";
- case 0x0079: "STATUS_INVALID_SECURITY_DESCR";
- case 0x007A: "STATUS_PROCEDURE_NOT_FOUND";
- case 0x007B: "STATUS_INVALID_IMAGE_FORMAT";
- case 0x007C: "STATUS_NO_TOKEN";
- case 0x007D: "STATUS_BAD_INHERITANCE_ACL";
- case 0x007E: "STATUS_RANGE_NOT_LOCKED";
- case 0x007F: "STATUS_DISK_FULL";
- case 0x0080: "STATUS_SERVER_DISABLED";
- case 0x0081: "STATUS_SERVER_NOT_DISABLED";
- case 0x0082: "STATUS_TOO_MANY_GUIDS_REQUESTED";
- case 0x0083: "STATUS_GUIDS_EXHAUSTED";
- case 0x0084: "STATUS_INVALID_ID_AUTHORITY";
- case 0x0085: "STATUS_AGENTS_EXHAUSTED";
- case 0x0086: "STATUS_INVALID_VOLUME_LABEL";
- case 0x0087: "STATUS_SECTION_NOT_EXTENDED";
- case 0x0088: "STATUS_NOT_MAPPED_DATA";
- case 0x0089: "STATUS_RESOURCE_DATA_NOT_FOUND";
- case 0x008A: "STATUS_RESOURCE_TYPE_NOT_FOUND";
- case 0x008B: "STATUS_RESOURCE_NAME_NOT_FOUND";
- case 0x008C: "STATUS_ARRAY_BOUNDS_EXCEEDED";
- case 0x008D: "STATUS_FLOAT_DENORMAL_OPERAND";
- case 0x008E: "STATUS_FLOAT_DIVIDE_BY_ZERO";
- case 0x008F: "STATUS_FLOAT_INEXACT_RESULT";
- case 0x0090: "STATUS_FLOAT_INVALID_OPERATION";
- case 0x0091: "STATUS_FLOAT_OVERFLOW";
- case 0x0092: "STATUS_FLOAT_STACK_CHECK";
- case 0x0093: "STATUS_FLOAT_UNDERFLOW";
- case 0x0094: "STATUS_INTEGER_DIVIDE_BY_ZERO";
- case 0x0095: "STATUS_INTEGER_OVERFLOW";
- case 0x0096: "STATUS_PRIVILEGED_INSTRUCTION";
- case 0x0097: "STATUS_TOO_MANY_PAGING_FILES";
- case 0x0098: "STATUS_FILE_INVALID";
- case 0x0099: "STATUS_ALLOTTED_SPACE_EXCEEDED";
- case 0x009A: "STATUS_INSUFFICIENT_RESOURCES";
- case 0x009B: "STATUS_DFS_EXIT_PATH_FOUND";
- case 0x009C: "STATUS_DEVICE_DATA_ERROR";
- case 0x009D: "STATUS_DEVICE_NOT_CONNECTED";
- case 0x009E: "STATUS_DEVICE_POWER_FAILURE";
- case 0x009F: "STATUS_FREE_VM_NOT_AT_BASE";
- case 0x00A0: "STATUS_MEMORY_NOT_ALLOCATED";
- case 0x00A1: "STATUS_WORKING_SET_QUOTA";
- case 0x00A2: "STATUS_MEDIA_WRITE_PROTECTED";
- case 0x00A3: "STATUS_DEVICE_NOT_READY";
- case 0x00A4: "STATUS_INVALID_GROUP_ATTRIBUTES";
- case 0x00A5: "STATUS_BAD_IMPERSONATION_LEVEL";
- case 0x00A6: "STATUS_CANT_OPEN_ANONYMOUS";
- case 0x00A7: "STATUS_BAD_VALIDATION_CLASS";
- case 0x00A8: "STATUS_BAD_TOKEN_TYPE";
- case 0x00A9: "STATUS_BAD_MASTER_BOOT_RECORD";
- case 0x00AA: "STATUS_INSTRUCTION_MISALIGNMENT";
- case 0x00AB: "STATUS_INSTANCE_NOT_AVAILABLE";
- case 0x00AC: "STATUS_PIPE_NOT_AVAILABLE";
- case 0x00AD: "STATUS_INVALID_PIPE_STATE";
- case 0x00AE: "STATUS_PIPE_BUSY";
- case 0x00AF: "STATUS_ILLEGAL_FUNCTION";
- case 0x00B0: "STATUS_PIPE_DISCONNECTED";
- case 0x00B1: "STATUS_PIPE_CLOSING";
- case 0x00B2: "STATUS_PIPE_CONNECTED";
- case 0x00B3: "STATUS_PIPE_LISTENING";
- case 0x00B4: "STATUS_INVALID_READ_MODE";
- case 0x00B5: "STATUS_IO_TIMEOUT";
- case 0x00B6: "STATUS_FILE_FORCED_CLOSED";
- case 0x00B7: "STATUS_PROFILING_NOT_STARTED";
- case 0x00B8: "STATUS_PROFILING_NOT_STOPPED";
- case 0x00B9: "STATUS_COULD_NOT_INTERPRET";
- case 0x00BA: "STATUS_FILE_IS_A_DIRECTORY";
- case 0x00BB: "STATUS_NOT_SUPPORTED";
- case 0x00BC: "STATUS_REMOTE_NOT_LISTENING";
- case 0x00BD: "STATUS_DUPLICATE_NAME";
- case 0x00BE: "STATUS_BAD_NETWORK_PATH";
- case 0x00BF: "STATUS_NETWORK_BUSY";
- case 0x00C0: "STATUS_DEVICE_DOES_NOT_EXIST";
- case 0x00C1: "STATUS_TOO_MANY_COMMANDS";
- case 0x00C2: "STATUS_ADAPTER_HARDWARE_ERROR";
- case 0x00C3: "STATUS_INVALID_NETWORK_RESPONSE";
- case 0x00C4: "STATUS_UNEXPECTED_NETWORK_ERROR";
- case 0x00C5: "STATUS_BAD_REMOTE_ADAPTER";
- case 0x00C6: "STATUS_PRINT_QUEUE_FULL";
- case 0x00C7: "STATUS_NO_SPOOL_SPACE";
- case 0x00C8: "STATUS_PRINT_CANCELLED";
- case 0x00C9: "STATUS_NETWORK_NAME_DELETED";
- case 0x00CA: "STATUS_NETWORK_ACCESS_DENIED";
- case 0x00CB: "STATUS_BAD_DEVICE_TYPE";
- case 0x00CC: "STATUS_BAD_NETWORK_NAME";
- case 0x00CD: "STATUS_TOO_MANY_NAMES";
- case 0x00CE: "STATUS_TOO_MANY_SESSIONS";
- case 0x00CF: "STATUS_SHARING_PAUSED";
- case 0x00D0: "STATUS_REQUEST_NOT_ACCEPTED";
- case 0x00D1: "STATUS_REDIRECTOR_PAUSED";
- case 0x00D2: "STATUS_NET_WRITE_FAULT";
- case 0x00D3: "STATUS_PROFILING_AT_LIMIT";
- case 0x00D4: "STATUS_NOT_SAME_DEVICE";
- case 0x00D5: "STATUS_FILE_RENAMED";
- case 0x00D6: "STATUS_VIRTUAL_CIRCUIT_CLOSED";
- case 0x00D7: "STATUS_NO_SECURITY_ON_OBJECT";
- case 0x00D8: "STATUS_CANT_WAIT";
- case 0x00D9: "STATUS_PIPE_EMPTY";
- case 0x00DA: "STATUS_CANT_ACCESS_DOMAIN_INFO";
- case 0x00DB: "STATUS_CANT_TERMINATE_SELF";
- case 0x00DC: "STATUS_INVALID_SERVER_STATE";
- case 0x00DD: "STATUS_INVALID_DOMAIN_STATE";
- case 0x00DE: "STATUS_INVALID_DOMAIN_ROLE";
- case 0x00DF: "STATUS_NO_SUCH_DOMAIN";
- case 0x00E0: "STATUS_DOMAIN_EXISTS";
- case 0x00E1: "STATUS_DOMAIN_LIMIT_EXCEEDED";
- case 0x00E2: "STATUS_OPLOCK_NOT_GRANTED";
- case 0x00E3: "STATUS_INVALID_OPLOCK_PROTOCOL";
- case 0x00E4: "STATUS_INTERNAL_DB_CORRUPTION";
- case 0x00E5: "STATUS_INTERNAL_ERROR";
- case 0x00E6: "STATUS_GENERIC_NOT_MAPPED";
- case 0x00E7: "STATUS_BAD_DESCRIPTOR_FORMAT";
- case 0x00E8: "STATUS_INVALID_USER_BUFFER";
- case 0x00E9: "STATUS_UNEXPECTED_IO_ERROR";
- case 0x00EA: "STATUS_UNEXPECTED_MM_CREATE_ERR";
- case 0x00EB: "STATUS_UNEXPECTED_MM_MAP_ERROR";
- case 0x00EC: "STATUS_UNEXPECTED_MM_EXTEND_ERR";
- case 0x00ED: "STATUS_NOT_LOGON_PROCESS";
- case 0x00EE: "STATUS_LOGON_SESSION_EXISTS";
- case 0x00EF: "STATUS_INVALID_PARAMETER_1";
- case 0x00F0: "STATUS_INVALID_PARAMETER_2";
- case 0x00F1: "STATUS_INVALID_PARAMETER_3";
- case 0x00F2: "STATUS_INVALID_PARAMETER_4";
- case 0x00F3: "STATUS_INVALID_PARAMETER_5";
- case 0x00F4: "STATUS_INVALID_PARAMETER_6";
- case 0x00F5: "STATUS_INVALID_PARAMETER_7";
- case 0x00F6: "STATUS_INVALID_PARAMETER_8";
- case 0x00F7: "STATUS_INVALID_PARAMETER_9";
- case 0x00F8: "STATUS_INVALID_PARAMETER_10";
- case 0x00F9: "STATUS_INVALID_PARAMETER_11";
- case 0x00FA: "STATUS_INVALID_PARAMETER_12";
- case 0x00FB: "STATUS_REDIRECTOR_NOT_STARTED";
- case 0x00FC: "STATUS_REDIRECTOR_STARTED";
- case 0x00FD: "STATUS_STACK_OVERFLOW ;// winnt";
- case 0x00FE: "STATUS_NO_SUCH_PACKAGE";
- case 0x00FF: "STATUS_BAD_FUNCTION_TABLE";
- case 0x0100: "STATUS_VARIABLE_NOT_FOUND";
- case 0x0101: "STATUS_DIRECTORY_NOT_EMPTY";
- case 0x0102: "STATUS_FILE_CORRUPT_ERROR";
- case 0x0103: "STATUS_NOT_A_DIRECTORY";
- case 0x0104: "STATUS_BAD_LOGON_SESSION_STATE";
- case 0x0105: "STATUS_LOGON_SESSION_COLLISION";
- case 0x0106: "STATUS_NAME_TOO_LONG";
- case 0x0107: "STATUS_FILES_OPEN";
- case 0x0108: "STATUS_CONNECTION_IN_USE";
- case 0x0109: "STATUS_MESSAGE_NOT_FOUND";
- case 0x010A: "STATUS_PROCESS_IS_TERMINATING";
- case 0x010B: "STATUS_INVALID_LOGON_TYPE";
- case 0x010C: "STATUS_NO_GUID_TRANSLATION";
- case 0x010D: "STATUS_CANNOT_IMPERSONATE";
- case 0x010E: "STATUS_IMAGE_ALREADY_LOADED";
- case 0x010F: "STATUS_ABIOS_NOT_PRESENT";
- case 0x0110: "STATUS_ABIOS_LID_NOT_EXIST";
- case 0x0111: "STATUS_ABIOS_LID_ALREADY_OWNED";
- case 0x0112: "STATUS_ABIOS_NOT_LID_OWNER";
- case 0x0113: "STATUS_ABIOS_INVALID_COMMAND";
- case 0x0114: "STATUS_ABIOS_INVALID_LID";
- case 0x0115: "STATUS_ABIOS_SELECTOR_NOT_AVAILABLE";
- case 0x0116: "STATUS_ABIOS_INVALID_SELECTOR";
- case 0x0117: "STATUS_NO_LDT";
- case 0x0118: "STATUS_INVALID_LDT_SIZE";
- case 0x0119: "STATUS_INVALID_LDT_OFFSET";
- case 0x011A: "STATUS_INVALID_LDT_DESCRIPTOR";
- case 0x011B: "STATUS_INVALID_IMAGE_NE_FORMAT";
- case 0x011C: "STATUS_RXACT_INVALID_STATE";
- case 0x011D: "STATUS_RXACT_COMMIT_FAILURE";
- case 0x011E: "STATUS_MAPPED_FILE_SIZE_ZERO";
- case 0x011F: "STATUS_TOO_MANY_OPENED_FILES";
- case 0x0120: "STATUS_CANCELLED";
- case 0x0121: "STATUS_CANNOT_DELETE";
- case 0x0122: "STATUS_INVALID_COMPUTER_NAME";
- case 0x0123: "STATUS_FILE_DELETED";
- case 0x0124: "STATUS_SPECIAL_ACCOUNT";
- case 0x0125: "STATUS_SPECIAL_GROUP";
- case 0x0126: "STATUS_SPECIAL_USER";
- case 0x0127: "STATUS_MEMBERS_PRIMARY_GROUP";
- case 0x0128: "STATUS_FILE_CLOSED";
- case 0x0129: "STATUS_TOO_MANY_THREADS";
- case 0x012A: "STATUS_THREAD_NOT_IN_PROCESS";
- case 0x012B: "STATUS_TOKEN_ALREADY_IN_USE";
- case 0x012C: "STATUS_PAGEFILE_QUOTA_EXCEEDED";
- case 0x012D: "STATUS_COMMITMENT_LIMIT";
- case 0x012E: "STATUS_INVALID_IMAGE_LE_FORMAT";
- case 0x012F: "STATUS_INVALID_IMAGE_NOT_MZ";
- case 0x0130: "STATUS_INVALID_IMAGE_PROTECT";
- case 0x0131: "STATUS_INVALID_IMAGE_WIN_16";
- case 0x0132: "STATUS_LOGON_SERVER_CONFLICT";
- case 0x0133: "STATUS_TIME_DIFFERENCE_AT_DC";
- case 0x0134: "STATUS_SYNCHRONIZATION_REQUIRED";
- case 0x0135: "STATUS_DLL_NOT_FOUND";
- case 0x0136: "STATUS_OPEN_FAILED";
- case 0x0137: "STATUS_IO_PRIVILEGE_FAILED";
- case 0x0138: "STATUS_ORDINAL_NOT_FOUND";
- case 0x0139: "STATUS_ENTRYPOINT_NOT_FOUND";
- case 0x013A: "STATUS_CONTROL_C_EXIT ;// winnt";
- case 0x013B: "STATUS_LOCAL_DISCONNECT";
- case 0x013C: "STATUS_REMOTE_DISCONNECT";
- case 0x013D: "STATUS_REMOTE_RESOURCES";
- case 0x013E: "STATUS_LINK_FAILED";
- case 0x013F: "STATUS_LINK_TIMEOUT";
- case 0x0140: "STATUS_INVALID_CONNECTION";
- case 0x0141: "STATUS_INVALID_ADDRESS";
- case 0x0142: "STATUS_DLL_INIT_FAILED";
- case 0x0143: "STATUS_MISSING_SYSTEMFILE";
- case 0x0144: "STATUS_UNHANDLED_EXCEPTION";
- case 0x0145: "STATUS_APP_INIT_FAILURE";
- case 0x0146: "STATUS_PAGEFILE_CREATE_FAILED";
- case 0x0147: "STATUS_NO_PAGEFILE";
- case 0x0148: "STATUS_INVALID_LEVEL";
- case 0x0149: "STATUS_WRONG_PASSWORD_CORE";
- case 0x014A: "STATUS_ILLEGAL_FLOAT_CONTEXT";
- case 0x014B: "STATUS_PIPE_BROKEN";
- case 0x014C: "STATUS_REGISTRY_CORRUPT";
- case 0x014d: "STATUS_REGISTRY_IO_FAILED";
- case 0x014e: "STATUS_NO_EVENT_PAIR";
- case 0x014f: "STATUS_UNRECOGNIZED_VOLUME";
- case 0x0150: "STATUS_SERIAL_NO_DEVICE_INITED";
- case 0x0151: "STATUS_NO_SUCH_ALIAS";
- case 0x0152: "STATUS_MEMBER_NOT_IN_ALIAS";
- case 0x0153: "STATUS_MEMBER_IN_ALIAS";
- case 0x0154: "STATUS_ALIAS_EXISTS";
- case 0x0155: "STATUS_LOGON_NOT_GRANTED";
- case 0x0156: "STATUS_TOO_MANY_SECRETS";
- case 0x0157: "STATUS_SECRET_TOO_LONG";
- case 0x0158: "STATUS_INTERNAL_DB_ERROR";
- case 0x0159: "STATUS_FULLSCREEN_MODE";
- case 0x015A: "STATUS_TOO_MANY_CONTEXT_IDS";
- case 0x015B: "STATUS_LOGON_TYPE_NOT_GRANTED";
- case 0x015C: "STATUS_NOT_REGISTRY_FILE";
- case 0x015D: "STATUS_NT_CROSS_ENCRYPTION_REQUIRED";
- case 0x015E: "STATUS_DOMAIN_CTRLR_CONFIG_ERROR";
- case 0x015F: "STATUS_FT_MISSING_MEMBER";
- case 0x0160: "STATUS_ILL_FORMED_SERVICE_ENTRY";
- case 0x0161: "STATUS_ILLEGAL_CHARACTER";
- case 0x0162: "STATUS_UNMAPPABLE_CHARACTER";
- case 0x0163: "STATUS_UNDEFINED_CHARACTER";
- case 0x0164: "STATUS_FLOPPY_VOLUME";
- case 0x0165: "STATUS_FLOPPY_ID_MARK_NOT_FOUND";
- case 0x0166: "STATUS_FLOPPY_WRONG_CYLINDER";
- case 0x0167: "STATUS_FLOPPY_UNKNOWN_ERROR";
- case 0x0168: "STATUS_FLOPPY_BAD_REGISTERS";
- case 0x0169: "STATUS_DISK_RECALIBRATE_FAILED";
- case 0x016A: "STATUS_DISK_OPERATION_FAILED";
- case 0x016B: "STATUS_DISK_RESET_FAILED";
- case 0x016C: "STATUS_SHARED_IRQ_BUSY";
- case 0x016D: "STATUS_FT_ORPHANING";
- case 0x0172: "STATUS_PARTITION_FAILURE";
- case 0x0173: "STATUS_INVALID_BLOCK_LENGTH";
- case 0x0174: "STATUS_DEVICE_NOT_PARTITIONED";
- case 0x0175: "STATUS_UNABLE_TO_LOCK_MEDIA";
- case 0x0176: "STATUS_UNABLE_TO_UNLOAD_MEDIA";
- case 0x0177: "STATUS_EOM_OVERFLOW";
- case 0x0178: "STATUS_NO_MEDIA";
- case 0x017A: "STATUS_NO_SUCH_MEMBER";
- case 0x017B: "STATUS_INVALID_MEMBER";
- case 0x017C: "STATUS_KEY_DELETED";
- case 0x017D: "STATUS_NO_LOG_SPACE";
- case 0x017E: "STATUS_TOO_MANY_SIDS";
- case 0x017F: "STATUS_LM_CROSS_ENCRYPTION_REQUIRED";
- case 0x0180: "STATUS_KEY_HAS_CHILDREN";
- case 0x0181: "STATUS_CHILD_MUST_BE_VOLATILE";
- case 0x0182: "STATUS_DEVICE_CONFIGURATION_ERROR";
- case 0x0183: "STATUS_DRIVER_INTERNAL_ERROR";
- case 0x0184: "STATUS_INVALID_DEVICE_STATE";
- case 0x0185: "STATUS_IO_DEVICE_ERROR";
- case 0x0186: "STATUS_DEVICE_PROTOCOL_ERROR";
- case 0x0187: "STATUS_BACKUP_CONTROLLER";
- case 0x0188: "STATUS_LOG_FILE_FULL";
- case 0x0189: "STATUS_TOO_LATE";
- case 0x018A: "STATUS_NO_TRUST_LSA_SECRET";
- case 0x018B: "STATUS_NO_TRUST_SAM_ACCOUNT";
- case 0x018C: "STATUS_TRUSTED_DOMAIN_FAILURE";
- case 0x018D: "STATUS_TRUSTED_RELATIONSHIP_FAILURE";
- case 0x018E: "STATUS_EVENTLOG_FILE_CORRUPT";
- case 0x018F: "STATUS_EVENTLOG_CANT_START";
- case 0x0190: "STATUS_TRUST_FAILURE";
- case 0x0191: "STATUS_MUTANT_LIMIT_EXCEEDED";
- case 0x0192: "STATUS_NETLOGON_NOT_STARTED";
- case 0x0193: "STATUS_ACCOUNT_EXPIRED";
- case 0x0194: "STATUS_POSSIBLE_DEADLOCK";
- case 0x0195: "STATUS_NETWORK_CREDENTIAL_CONFLICT";
- case 0x0196: "STATUS_REMOTE_SESSION_LIMIT";
- case 0x0197: "STATUS_EVENTLOG_FILE_CHANGED";
- case 0x0198: "STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT";
- case 0x0199: "STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT";
- case 0x019A: "STATUS_NOLOGON_SERVER_TRUST_ACCOUNT";
- case 0x019B: "STATUS_DOMAIN_TRUST_INCONSISTENT";
- case 0x019C: "STATUS_FS_DRIVER_REQUIRED";
- case 0x0202: "STATUS_NO_USER_SESSION_KEY";
- case 0x0203: "STATUS_USER_SESSION_DELETED";
- case 0x0204: "STATUS_RESOURCE_LANG_NOT_FOUND";
- case 0x0205: "STATUS_INSUFF_SERVER_RESOURCES";
- case 0x0206: "STATUS_INVALID_BUFFER_SIZE";
- case 0x0207: "STATUS_INVALID_ADDRESS_COMPONENT";
- case 0x0208: "STATUS_INVALID_ADDRESS_WILDCARD";
- case 0x0209: "STATUS_TOO_MANY_ADDRESSES";
- case 0x020A: "STATUS_ADDRESS_ALREADY_EXISTS";
- case 0x020B: "STATUS_ADDRESS_CLOSED";
- case 0x020C: "STATUS_CONNECTION_DISCONNECTED";
- case 0x020D: "STATUS_CONNECTION_RESET";
- case 0x020E: "STATUS_TOO_MANY_NODES";
- case 0x020F: "STATUS_TRANSACTION_ABORTED";
- case 0x0210: "STATUS_TRANSACTION_TIMED_OUT";
- case 0x0211: "STATUS_TRANSACTION_NO_RELEASE";
- case 0x0212: "STATUS_TRANSACTION_NO_MATCH";
- case 0x0213: "STATUS_TRANSACTION_RESPONDED";
- case 0x0214: "STATUS_TRANSACTION_INVALID_ID";
- case 0x0215: "STATUS_TRANSACTION_INVALID_TYPE";
- case 0x0216: "STATUS_NOT_SERVER_SESSION";
- case 0x0217: "STATUS_NOT_CLIENT_SESSION";
- case 0x0218: "STATUS_CANNOT_LOAD_REGISTRY_FILE";
- case 0x0219: "STATUS_DEBUG_ATTACH_FAILED";
- case 0x021A: "STATUS_SYSTEM_PROCESS_TERMINATED";
- case 0x021B: "STATUS_DATA_NOT_ACCEPTED";
- case 0x021C: "STATUS_NO_BROWSER_SERVERS_FOUND";
- case 0x021D: "STATUS_VDM_HARD_ERROR";
- case 0x021E: "STATUS_DRIVER_CANCEL_TIMEOUT";
- case 0x021F: "STATUS_REPLY_MESSAGE_MISMATCH";
- case 0x0220: "STATUS_MAPPED_ALIGNMENT";
- case 0x0221: "STATUS_IMAGE_CHECKSUM_MISMATCH";
- case 0x0222: "STATUS_LOST_WRITEBEHIND_DATA";
- case 0x0223: "STATUS_CLIENT_SERVER_PARAMETERS_INVALID";
- case 0x0224: "STATUS_PASSWORD_MUST_CHANGE";
- case 0x0225: "STATUS_NOT_FOUND";
- case 0x0226: "STATUS_NOT_TINY_STREAM";
- case 0x0227: "STATUS_RECOVERY_FAILURE";
- case 0x0228: "STATUS_STACK_OVERFLOW_READ";
- case 0x0229: "STATUS_FAIL_CHECK";
- case 0x022a: "STATUS_DUPLICATE_OBJECTID";
- case 0x022b: "STATUS_OBJECTID_EXISTS";
- case 0x022c: "STATUS_CONVERT_TO_LARGE";
- case 0x022d: "STATUS_RETRY";
- case 0x022e: "STATUS_FOUND_OUT_OF_SCOPE";
- case 0x022f: "STATUS_ALLOCATE_BUCKET";
- case 0x0230: "STATUS_PROPSET_NOT_FOUND";
- case 0x0231: "STATUS_MARSHALL_OVERFLOW";
- case 0x0232: "STATUS_INVALID_VARIANT";
- case 0x0233: "STATUS_DOMAIN_CONTROLLER_NOT_FOUND";
- case 0x0234: "STATUS_ACCOUNT_LOCKED_OUT";
- case 0x0235: "STATUS_HANDLE_NOT_CLOSABLE";
- case 0x0236: "STATUS_CONNECTION_REFUSED";
- case 0x0237: "STATUS_GRACEFUL_DISCONNECT";
- case 0x0238: "STATUS_ADDRESS_ALREADY_ASSOCIATED";
- case 0x0239: "STATUS_ADDRESS_NOT_ASSOCIATED";
- case 0x023a: "STATUS_CONNECTION_INVALID";
- case 0x023b: "STATUS_CONNECTION_ACTIVE";
- case 0x023c: "STATUS_NETWORK_UNREACHABLE";
- case 0x023d: "STATUS_HOST_UNREACHABLE";
- case 0x023e: "STATUS_PROTOCOL_UNREACHABLE";
- case 0x023f: "STATUS_PORT_UNREACHABLE";
- case 0x0240: "STATUS_REQUEST_ABORTED";
- case 0x0241: "STATUS_CONNECTION_ABORTED";
- case 0x0242: "STATUS_BAD_COMPRESSION_BUFFER";
- case 0x0243: "STATUS_USER_MAPPED_FILE";
- case 0x0244: "STATUS_AUDIT_FAILED";
- case 0x0245: "STATUS_TIMER_RESOLUTION_NOT_SET";
- case 0x0246: "STATUS_CONNECTION_COUNT_LIMIT";
- case 0x0247: "STATUS_LOGIN_TIME_RESTRICTION";
- case 0x0248: "STATUS_LOGIN_WKSTA_RESTRICTION";
- case 0x0249: "STATUS_IMAGE_MP_UP_MISMATCH";
- case 0x0250: "STATUS_INSUFFICIENT_LOGON_INFO";
- case 0x0251: "STATUS_BAD_DLL_ENTRYPOINT";
- case 0x0252: "STATUS_BAD_SERVICE_ENTRYPOINT";
- case 0x0253: "STATUS_LPC_REPLY_LOST";
- case 0x0254: "STATUS_IP_ADDRESS_CONFLICT1";
- case 0x0255: "STATUS_IP_ADDRESS_CONFLICT2";
- case 0x0256: "STATUS_REGISTRY_QUOTA_LIMIT";
- case 0x0257: "STATUS_PATH_NOT_COVERED";
- case 0x0258: "STATUS_NO_CALLBACK_ACTIVE";
- case 0x0259: "STATUS_LICENSE_QUOTA_EXCEEDED";
- case 0x025a: "STATUS_PWD_TOO_SHORT";
- case 0x025b: "STATUS_PWD_TOO_RECENT";
- case 0x025c: "STATUS_PWD_HISTORY_CONFLICT";
- case 0x025e: "STATUS_PLUGPLAY_NO_DEVICE";
- case 0x025f: "STATUS_UNSUPPORTED_COMPRESSION";
- case 0x0260: "STATUS_INVALID_HW_PROFILE";
- case 0x0261: "STATUS_INVALID_PLUGPLAY_DEVICE_PATH";
- case 0x0262: "STATUS_DRIVER_ORDINAL_NOT_FOUND";
- case 0x0263: "STATUS_DRIVER_ENTRYPOINT_NOT_FOUND";
- case 0x0264: "STATUS_RESOURCE_NOT_OWNED";
- case 0x0265: "STATUS_TOO_MANY_LINKS";
- case 0x0266: "STATUS_QUOTA_LIST_INCONSISTENT";
- case 0x0267: "STATUS_FILE_IS_OFFLINE";
- case 0x035C: "STATUS_NETWORK_SESSION_EXPIRED";
- case 0x2001: "STATUS_INVALID_SMB";
- case 0x2005: "STATUS_SMB_BAD_TID";
- case 0x2016: "STATUS_SMB_BAD_COMMAND";
- case 0x205A: "STATUS_SMB_TOO_MANY_UIDS";
- case 0x205B: "STATUS_SMB_BAD_UID";
- case 0x20FB: "STATUS_SMB_USE_STANDARD";
- case 0xA100: "STATUS_HASH_NOT_SUPPORTED";
- case 0xA101: "STATUS_HASH_NOT_PRESENT";
- case 0x0275: "STATUS_NOT_A_REPARSE_POINT";
- default: "Unhandled Error code";
- }
- }
-
- Table SMBNTStatusCodeTable(Facility, Severity, Code)
- {
- switch
- {
- case Facility == 0 && Severity == 0: FormatString("(%d) %s", Code, SMBNTStatusSystemSuccessCodeTable(Code));
- case Facility == 0 && Severity == 1: FormatString("(%d) %s", Code, SMBNTStatusSystemInfoCodeTable(Code));
- case Facility == 0 && Severity == 2: FormatString("(%d) %s", Code, SMBNTStatusSystemWarningCodeTable(Code));
- case Facility == 0 && Severity == 3: FormatString("(%d) %s", Code, SMBNTStatusSystemErrorCodeTable(Code));
- default: FormatString("(%d) Unhandled status code", code);
- }
- }
-
- Table SMBComMoveOpenFuncTable( value )
- {
- switch
- {
- case value == 0: "Fail if file exists (0)";
- case value == 1: "Open file if it exists (1)";
- case value == 2: "Replace if target file exists (2)";
- case value == 3: "Unknown (3)";
- }
- }
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBDATE = FormatString("%d-%02d-%02d", Year + 1980, Month, Day)
- {
- UINT16 Day:5;
- UINT16 Month:4;
- UINT16 Year:7;
- };
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBTIME = FormatString("%02d:%02d:%02d", Hours, Minutes, TwoSeconds * 2)
- {
- UINT16 TwoSeconds:5;
- UINT16 Minutes:6;
- UINT16 Hours:5;
- };
-
- Table SMBNTRenameInformationLevel (value)
- {
- switch(value)
- {
- case 0x0001: "Allocation information";
- case 0x0002: "Volume information";
- case 0x0102: "File system volume information";
- case 0x0103: "SMB_NT_RENAME_SET_LINK_INFO";
- case 0x0104: "SMB_NT_RENAME_RENAME_FILE";
- case 0x0105: "SMB_NT_RENAME_MOVE_FILE";
- default: "Unknown";
- }
- }
-
- Table SMBErrorClassTable(value)
- {
- switch(value)
- {
- case 0x00: "No Error";
- case 0x01: "DOS OS Error";
- case 0x02: "Server Error"; //Server Network File Manager Error
- case 0x03: "Hard Error"; //Hardware Error
- case 0x04: "Extended-OS Error";
- case 0xE1: "RMXError1";
- case 0xE2: "RMXError2";
- case 0xE3: "RMXError3";
- case 0xFF: "Bad SMB format";
- default: FormatString("Unknown (0x%x)", value);
- }
- }
-
- //
- //http://www.megos.ch/support/doserrors.txt
- //
- Table SMBErrorCodesERRDOSTable(value)
- {
- switch(value)
- {
- case 0x0: FormatString("(%d) NO_ERROR", value);
- case 0x1: FormatString("(%d) INVALID_FUNCTION", value);
- case 0x2: FormatString("(%d) FILE_NOT_FOUND", value);
- case 0x3: FormatString("(%d) PATH_NOT_FOUND", value);
- case 0x4: FormatString("(%d) TOO_MANY_OPEN_FILES", value);
- case 0x5: FormatString("(%d) ACCESS_DENIED", value);
- case 0x6: FormatString("(%d) INVALID_HANDLE", value);
- case 0x7: FormatString("(%d) ARENA_TRASHED", value);
- case 0x8: FormatString("(%d) NOT_ENOUGH_MEMORY", value);
- case 0x9: FormatString("(%d) INVALID_BLOCK", value);
- case 0x0A: FormatString("(%d) BAD_ENVIRONMENT", value);
- case 0x0B: FormatString("(%d) BAD_FORMAT", value);
- case 0x0C: FormatString("(%d) INVALID_ACCESS", value);
- case 0x0D: FormatString("(%d) INVALID_DATA", value);
- case 0x0E: FormatString("(%d) OUTOFMEMORY", value);
- case 0x0F: FormatString("(%d) INVALID_DRIVE", value);
- case 0x10: FormatString("(%d) CURRENT_DIRECTORY", value);
- case 0x11: FormatString("(%d) NOT_SAME_DEVICE", value);
- case 0x12: FormatString("(%d) NO_MORE_FILES", value);
- case 0x13: FormatString("(%d) WRITE_PROTECT", value);
- case 0x14: FormatString("(%d) BAD_UNIT", value);
- case 0x15: FormatString("(%d) NOT_READY", value);
- case 0x16: FormatString("(%d) BAD_COMMAND", value);
- case 0x17: FormatString("(%d) CRC", value);
- case 0x18: FormatString("(%d) BAD_LENGTH", value);
- case 0x19: FormatString("(%d) SEEK", value);
- case 0x1A: FormatString("(%d) NOT_DOS_DISK", value);
- case 0x1B: FormatString("(%d) SECTOR_NOT_FOUND", value);
- case 0x1C: FormatString("(%d) OUT_OF_PAPER", value);
- case 0x1D: FormatString("(%d) WRITE_FAULT", value);
- case 0x1E: FormatString("(%d) READ_FAULT", value);
- case 0x1F: FormatString("(%d) GEN_FAILURE", value);
- case 0x20: FormatString("(%d) SHARING_VIOLATION", value);
- case 0x21: FormatString("(%d) LOCK_VIOLATION", value);
- case 0x22: FormatString("(%d) WRONG_DISK", value);
- case 0x23: FormatString("(%d) FCB_UNAVAILABLE", value);
- case 0x24: FormatString("(%d) SHARING_BUFFER_EXCEEDED", value);
- case 0x26: FormatString("(%d) HANDLE_EOF", value);
- case 0x27: FormatString("(%d) HANDLE_DISK_FULL", value);
- case 0x32: FormatString("(%d) NOT_SUPPORTED", value);
- case 0x33: FormatString("(%d) REM_NOT_LIST", value);
- case 0x34: FormatString("(%d) DUP_NAME", value);
- case 0x35: FormatString("(%d) BAD_NETPATH", value);
- case 0x36: FormatString("(%d) NETWORK_BUSY", value);
- case 0x37: FormatString("(%d) DEV_NOT_EXIST", value);
- case 0x38: FormatString("(%d) TOO_MANY_CMDS", value);
- case 0x39: FormatString("(%d) ADAP_HDW_ERR", value);
- case 0x3A: FormatString("(%d) BAD_NET_RESP", value);
- case 0x3B: FormatString("(%d) UNEXP_NET_ERR", value);
- case 0x3C: FormatString("(%d) BAD_REM_ADAP", value);
- case 0x3D: FormatString("(%d) PRINTQ_FULL", value);
- case 0x3E: FormatString("(%d) NO_SPOOL_SPACE", value);
- case 0x3F: FormatString("(%d) PRINT_CANCELLED", value);
- case 0x40: FormatString("(%d) NETNAME_DELETED", value);
- case 0x41: FormatString("(%d) NETWORK_ACCESS_DENIED", value);
- case 0x42: FormatString("(%d) BAD_DEV_TYPE", value);
- case 0x43: FormatString("(%d) BAD_NET_NAME", value);
- case 0x44: FormatString("(%d) TOO_MANY_NAMES", value);
- case 0x45: FormatString("(%d) TOO_MANY_SESS", value);
- case 0x46: FormatString("(%d) SHARING_PAUSED", value);
- case 0x47: FormatString("(%d) REQ_NOT_ACCEP", value);
- case 0x48: FormatString("(%d) REDIR_PAUSED", value);
- case 0x50: FormatString("(%d) FILE_EXISTS", value);
- case 0x51: FormatString("(%d) DUP_FCB", value);
- case 0x52: FormatString("(%d) CANNOT_MAKE", value);
- case 0x53: FormatString("(%d) FAIL_I24", value);
- case 0x54: FormatString("(%d) OUT_OF_STRUCTURES", value);
- case 0x55: FormatString("(%d) ALREADY_ASSIGNED", value);
- case 0x56: FormatString("(%d) INVALID_PASSWORD", value);
- case 0x57: FormatString("(%d) INVALID_PARAMETER", value);
- case 0x58: FormatString("(%d) NET_WRITE_FAULT", value);
- case 0x59: FormatString("(%d) NO_PROC_SLOTS", value);
- case 0x5A: FormatString("(%d) NOT_FROZEN", value);
- case 0x5B: FormatString("(%d) ERR_TSTOVFL", value);
- case 0x5C: FormatString("(%d) ERR_TSTDUP", value);
- case 0x5D: FormatString("(%d) NO_ITEMS", value);
- case 0x5F: FormatString("(%d) INTERRUPT", value);
- case 0x63: FormatString("(%d) DEVICE_IN_USE", value);
- case 0x64: FormatString("(%d) TOO_MANY_SEMAPHORES", value);
- case 0x65: FormatString("(%d) EXCL_SEM_ALREADY_OWNED", value);
- case 0x66: FormatString("(%d) SEM_IS_SET", value);
- case 0x67: FormatString("(%d) TOO_MANY_SEM_REQUESTS", value);
- case 0x68: FormatString("(%d) INVALID_AT_INTERRUPT_TIME", value);
- case 0x69: FormatString("(%d) SEM_OWNER_DIED", value);
- case 0x6A: FormatString("(%d) SEM_USER_LIMIT", value);
- case 0x6B: FormatString("(%d) DISK_CHANGE", value);
- case 0x6C: FormatString("(%d) DRIVE_LOCKED", value);
- case 0x6D: FormatString("(%d) BROKEN_PIPE", value);
- case 0x6E: FormatString("(%d) OPEN_FAILED", value);
- case 0x6F: FormatString("(%d) BUFFER_OVERFLOW", value);
- case 0x70: FormatString("(%d) DISK_FULL", value);
- case 0x71: FormatString("(%d) NO_MORE_SEARCH_HANDLES", value);
- case 0x72: FormatString("(%d) INVALID_TARGET_HANDLE", value);
- case 0x73: FormatString("(%d) PROTECTION_VIOLATION", value);
- case 0x74: FormatString("(%d) VIOKBD_REQUEST", value);
- case 0x75: FormatString("(%d) INVALID_CATEGORY", value);
- case 0x76: FormatString("(%d) INVALID_VERIFY_SWITCH", value);
- case 0x77: FormatString("(%d) BAD_DRIVER_LEVEL", value);
- case 0x78: FormatString("(%d) CALL_NOT_IMPLEMENTED", value);
- case 0x79: FormatString("(%d) SEM_TIMEOUT", value);
- case 0x7A: FormatString("(%d) INSUFFICIENT_BUFFER", value);
- case 0x7B: FormatString("(%d) INVALID_NAME", value);
- case 0x7C: FormatString("(%d) INVALID_LEVEL", value);
- case 0x7D: FormatString("(%d) NO_VOLUME_LABEL", value);
- case 0x7E: FormatString("(%d) MOD_NOT_FOUND", value);
- case 0x7F: FormatString("(%d) PROC_NOT_FOUND", value);
- case 0x80: FormatString("(%d) WAIT_NO_CHILDREN", value);
- case 0x81: FormatString("(%d) CHILD_NOT_COMPLETE", value);
- case 0x82: FormatString("(%d) DIRECT_ACCESS_HANDLE", value);
- case 0x83: FormatString("(%d) NEGATIVE_SEEK", value);
- case 0x84: FormatString("(%d) SEEK_ON_DEVICE", value);
- case 0x85: FormatString("(%d) IS_JOIN_TARGET", value);
- case 0x86: FormatString("(%d) IS_JOINED", value);
- case 0x87: FormatString("(%d) IS_SUBSTED", value);
- case 0x88: FormatString("(%d) NOT_JOINED", value);
- case 0x89: FormatString("(%d) NOT_SUBSTED", value);
- case 0x8A: FormatString("(%d) JOIN_TO_JOIN", value);
- case 0x8B: FormatString("(%d) SUBST_TO_SUBST", value);
- case 0x8C: FormatString("(%d) JOIN_TO_SUBST", value);
- case 0x8D: FormatString("(%d) SUBST_TO_JOIN", value);
- case 0x8E: FormatString("(%d) BUSY_DRIVE", value);
- case 0x8F: FormatString("(%d) SAME_DRIVE", value);
- case 0x90: FormatString("(%d) DIR_NOT_ROOT", value);
- case 0x91: FormatString("(%d) DIR_NOT_EMPTY", value);
- case 0x92: FormatString("(%d) IS_SUBST_PATH", value);
- case 0x93: FormatString("(%d) IS_JOIN_PATH", value);
- case 0x94: FormatString("(%d) PATH_BUSY", value);
- case 0x95: FormatString("(%d) IS_SUBST_TARGET", value);
- case 0x96: FormatString("(%d) SYSTEM_TRACE", value);
- case 0x97: FormatString("(%d) INVALID_EVENT_COUNT", value);
- case 0x98: FormatString("(%d) TOO_MANY_MUXWAITERS", value);
- case 0x99: FormatString("(%d) INVALID_LIST_FORMAT", value);
- case 0x9A: FormatString("(%d) LABEL_TOO_LONG", value);
- case 0x9B: FormatString("(%d) TOO_MANY_TCBS", value);
- case 0x9C: FormatString("(%d) SIGNAL_REFUSED", value);
- case 0x9D: FormatString("(%d) DISCARDED", value);
- case 0x9E: FormatString("(%d) NOT_LOCKED", value);
- case 0x9F: FormatString("(%d) BAD_THREADID_ADDR", value);
- case 0xA0: FormatString("(%d) BAD_ARGUMENTS", value);
- case 0xA1: FormatString("(%d) BAD_PATHNAME", value);
- case 0xA2: FormatString("(%d) SIGNAL_PENDING", value);
- case 0xA3: FormatString("(%d) UNCERTAIN_MEDIA", value);
- case 0xA4: FormatString("(%d) MAX_THRDS_REACHED", value);
- case 0xA5: FormatString("(%d) MONITORS_NOT_SUPPORTED", value);
- case 0xA6: FormatString("(%d) UNC_DRIVER_NOT_INSTALLED", value);
- case 0xA7: FormatString("(%d) LOCK_FAILED", value);
- case 0xA8: FormatString("(%d) SWAPIO_FAILED", value);
- case 0xA9: FormatString("(%d) SWAPIN_FAILED", value);
- case 0xAA: FormatString("(%d) BUSY", value);
- case 0xAD: FormatString("(%d) CANCEL_VIOLATION", value);
- case 0xAE: FormatString("(%d) ATOMIC_LOCKS_NOT_SUPPORTED", value);
- case 0xB4: FormatString("(%d) INVALID_SEGMENT_NUMBER", value);
- case 0xB5: FormatString("(%d) INVALID_CALLGATE", value);
- case 0xB6: FormatString("(%d) INVALID_ORDINAL", value);
- case 0xB7: FormatString("(%d) ALREADY_EXISTS", value);
- case 0xB8: FormatString("(%d) NO_CHILD_PROCESS", value);
- case 0xB9: FormatString("(%d) CHILD_ALIVE_NOWAIT", value);
- case 0xBA: FormatString("(%d) INVALID_FLAG_NUMBER", value);
- case 0xBB: FormatString("(%d) SEM_NOT_FOUND", value);
- case 0xBC: FormatString("(%d) INVALID_STARTING_CODESEG", value);
- case 0xBD: FormatString("(%d) INVALID_STACKSEG", value);
- case 0xBE: FormatString("(%d) INVALID_MODULETYPE", value);
- case 0xBF: FormatString("(%d) INVALID_EXE_SIGNATURE", value);
- case 0xC0: FormatString("(%d) EXE_MARKED_INVALID", value);
- case 0xC1: FormatString("(%d) BAD_EXE_FORMAT", value);
- case 0xC2: FormatString("(%d) ITERATED_DATA_EXCEEDS_64K", value);
- case 0xC3: FormatString("(%d) INVALID_MINALLOCSIZE", value);
- case 0xC4: FormatString("(%d) DYNLINK_FROM_INVALID_RING", value);
- case 0xC5: FormatString("(%d) IOPL_NOT_ENABLED", value);
- case 0xC6: FormatString("(%d) INVALID_SEGDPL", value);
- case 0xC7: FormatString("(%d) AUTODATASEG_EXCEEDS_64k", value);
- case 0xC8: FormatString("(%d) RING2SEG_MUST_BE_MOVABLE", value);
- case 0xC9: FormatString("(%d) RELOC_CHAIN_XEEDS_SEGLIM", value);
- case 0xCA: FormatString("(%d) INFLOOP_IN_RELOC_CHAIN", value);
- case 0xCB: FormatString("(%d) ENVVAR_NOT_FOUND", value);
- case 0xCC: FormatString("(%d) NOT_CURRENT_CTRY", value);
- case 0xCD: FormatString("(%d) NO_SIGNAL_SENT", value);
- case 0xCE: FormatString("(%d) FILENAME_EXCED_RANGE", value);
- case 0xCF: FormatString("(%d) RING2_STACK_IN_USE", value);
- case 0xD0: FormatString("(%d) META_EXPANSION_TOO_LONG", value);
- case 0xD1: FormatString("(%d) INVALID_SIGNAL_NUMBER", value);
- case 0xD2: FormatString("(%d) THREAD_1_INACTIVE", value);
- case 0xD3: FormatString("(%d) INFO_NOT_AVAIL", value);
- case 0xD4: FormatString("(%d) LOCKED", value);
- case 0xD5: FormatString("(%d) BAD_DYNALINK", value);
- case 0xD6: FormatString("(%d) TOO_MANY_MODULES", value);
- case 0xD7: FormatString("(%d) NESTING_NOT_ALLOWED", value);
- case 0xD8: FormatString("(%d) CANNOT_SHRINK", value);
- case 0xD9: FormatString("(%d) ZOMBIE_PROCESS", value);
- case 0xDA: FormatString("(%d) STACK_IN_HIGH_MEMORY", value);
- case 0xDB: FormatString("(%d) INVALID_EXITROUTINE_RING", value);
- case 0xDC: FormatString("(%d) GETBUF_FAILED", value);
- case 0xDD: FormatString("(%d) FLUSHBUF_FAILED", value);
- case 0xDE: FormatString("(%d) TRANSFER_TOO_LONG", value);
- case 0xE4: FormatString("(%d) NO_CHILDREN", value);
- case 0xE5: FormatString("(%d) INVALID_SCREEN_GROUP", value);
- case 0xE6: FormatString("(%d) BAD_PIPE", value);
- case 0xE7: FormatString("(%d) PIPE_BUSY", value);
- case 0xE8: FormatString("(%d) NO_DATA", value);
- case 0xE9: FormatString("(%d) PIPE_NOT_CONNECTED", value);
- case 0xEA: FormatString("(%d) MORE_DATA", value);
- case 0xF0: FormatString("(%d) VC_DISCONNECTED", value);
- case 0xFA: FormatString("(%d) CIRCULARITY_REQUESTED", value);
- case 0xFB: FormatString("(%d) DIRECTORY_IN_CDS", value);
- case 0xFC: FormatString("(%d) INVALID_FSD_NAME", value);
- case 0xFD: FormatString("(%d) INVALID_PATH", value);
- case 0xFE: FormatString("(%d) INVALID_EA_NAME", value);
- case 0xFF: FormatString("(%d) EA_LIST_INCONSISTENT", value);
- case 0x100: FormatString("(%d) EA_LIST_TOO_LONG", value);
- case 0x101: FormatString("(%d) NO_META_MATCH", value);
- case 0x102: FormatString("(%d) FINDNOTIFY_TIMEOUT", value);
- case 0x103: FormatString("(%d) NO_MORE_ITEMS", value);
- case 0x104: FormatString("(%d) SEARCH_STRUC_REUSED", value);
- case 0x105: FormatString("(%d) CHAR_NOT_FOUND", value);
- case 0x106: FormatString("(%d) TOO_MUCH_STACK", value);
- case 0x107: FormatString("(%d) INVALID_ATTR", value);
- case 0x108: FormatString("(%d) INVALID_STARTING_RING", value);
- case 0x109: FormatString("(%d) INVALID_DLL_INIT_RING", value);
- case 0x10A: FormatString("(%d) CANNOT_COPY", value);
- case 0x10B: FormatString("(%d) DIRECTORY", value);
- case 0x10C: FormatString("(%d) OPLOCKED_FILE", value);
- case 0x10D: FormatString("(%d) OPLOCK_THREAD_EXISTS", value);
- case 0x10E: FormatString("(%d) VOLUME_CHANGED", value);
- case 0x10F: FormatString("(%d) FINDNOTIFY_HANDLE_IN_USE", value);
- case 0x110: FormatString("(%d) FINDNOTIFY_HANDLE_CLOSED", value);
- case 0x111: FormatString("(%d) NOTIFY_OBJECT_REMOVED", value);
- case 0x112: FormatString("(%d) ALREADY_SHUTDOWN", value);
- case 0x113: FormatString("(%d) EAS_DIDNT_FIT", value);
- case 0x114: FormatString("(%d) EA_FILE_CORRUPT", value);
- case 0x115: FormatString("(%d) EA_TABLE_FULL", value);
- case 0x116: FormatString("(%d) INVALID_EA_HANDLE", value);
- case 0x117: FormatString("(%d) NO_CLUSTER", value);
- case 0x118: FormatString("(%d) CREATE_EA_FILE", value);
- case 0x119: FormatString("(%d) CANNOT_OPEN_EA_FILE", value);
- case 0x11A: FormatString("(%d) EAS_NOT_SUPPORTED", value);
- case 0x120: FormatString("(%d) NOT_OWNER", value);
- case 0x12A: FormatString("(%d) TOO_MANY_POSTS", value);
- case 0x12B: FormatString("(%d) PARTIAL_COPY", value);
- case 0x12F: FormatString("(%d) INVALID_PROCID", value);
- case 0x130: FormatString("(%d) INVALID_PDELTA", value);
- case 0x131: FormatString("(%d) NOT_DESCENDANT", value);
- case 0x132: FormatString("(%d) NOT_SESSION_MANAGER", value);
- case 0x133: FormatString("(%d) INVALID_PCLASS", value);
- case 0x134: FormatString("(%d) INVALID_SCOPE", value);
- case 0x135: FormatString("(%d) INVALID_THREADID", value);
- case 0x136: FormatString("(%d) DOSSUB_SHRINK", value);
- case 0x137: FormatString("(%d) DOSSUB_NOMEM", value);
- case 0x138: FormatString("(%d) DOSSUB_OVERLAP", value);
- case 0x139: FormatString("(%d) DOSSUB_BADSIZE", value);
- case 0x13A: FormatString("(%d) DOSSUB_BADFLAG", value);
- case 0x13B: FormatString("(%d) DOSSUB_BADSELECTOR", value);
- case 0x13C: FormatString("(%d) MR_MSG_TOO_LONG", value);
- case 0x13D: FormatString("(%d) MR_MID_NOT_FOUND", value);
- case 0x13E: FormatString("(%d) MR_UN_ACC_MSGF", value);
- case 0x13F: FormatString("(%d) MR_INV_MSGF_FORMAT", value);
- case 0x140: FormatString("(%d) MR_INV_IVCOUNT", value);
- case 0x141: FormatString("(%d) MR_UN_PERFORM", value);
- case 0x142: FormatString("(%d) TS_WAKEUP", value);
- case 0x143: FormatString("(%d) TS_SEMHANDLE", value);
- case 0x144: FormatString("(%d) TS_NOTIMER", value);
- case 0x146: FormatString("(%d) TS_HANDLE", value);
- case 0x147: FormatString("(%d) TS_DATETIME", value);
- case 0x148: FormatString("(%d) SYS_INTERNAL", value);
- case 0x149: FormatString("(%d) QUE_CURRENT_NAME", value);
- case 0x14A: FormatString("(%d) QUE_PROC_NOT_OWNED", value);
- case 0x14B: FormatString("(%d) QUE_PROC_OWNED", value);
- case 0x14C: FormatString("(%d) QUE_DUPLICATE", value);
- case 0x14D: FormatString("(%d) QUE_ELEMENT_NOT_EXIST", value);
- case 0x14E: FormatString("(%d) QUE_NO_MEMORY", value);
- case 0x14F: FormatString("(%d) QUE_INVALID_NAME", value);
- case 0x150: FormatString("(%d) QUE_INVALID_PRIORITY", value);
- case 0x151: FormatString("(%d) QUE_INVALID_HANDLE", value);
- case 0x152: FormatString("(%d) QUE_LINK_NOT_FOUND", value);
- case 0x153: FormatString("(%d) QUE_MEMORY_ERROR", value);
- case 0x154: FormatString("(%d) QUE_PREV_AT_END", value);
- case 0x155: FormatString("(%d) QUE_PROC_NO_ACCESS", value);
- case 0x156: FormatString("(%d) QUE_EMPTY", value);
- case 0x157: FormatString("(%d) QUE_NAME_NOT_EXIST", value);
- case 0x158: FormatString("(%d) QUE_NOT_INITIALIZED", value);
- case 0x159: FormatString("(%d) QUE_UNABLE_TO_ACCESS", value);
- case 0x15A: FormatString("(%d) QUE_UNABLE_TO_ADD", value);
- case 0x15B: FormatString("(%d) QUE_UNABLE_TO_INIT", value);
- case 0x15D: FormatString("(%d) VIO_INVALID_MASK", value);
- case 0x15E: FormatString("(%d) VIO_PTR", value);
- case 0x15F: FormatString("(%d) VIO_APTR", value);
- case 0x160: FormatString("(%d) VIO_RPTR", value);
- case 0x161: FormatString("(%d) VIO_CPTR", value);
- case 0x162: FormatString("(%d) VIO_LPTR", value);
- case 0x163: FormatString("(%d) VIO_MODE", value);
- case 0x164: FormatString("(%d) VIO_WIDTH", value);
- case 0x165: FormatString("(%d) VIO_ATTR", value);
- case 0x166: FormatString("(%d) VIO_ROW", value);
- case 0x167: FormatString("(%d) VIO_COL", value);
- case 0x168: FormatString("(%d) VIO_TOPROW", value);
- case 0x169: FormatString("(%d) VIO_BOTROW", value);
- case 0x16A: FormatString("(%d) VIO_RIGHTCOL", value);
- case 0x16B: FormatString("(%d) VIO_LEFTCOL", value);
- case 0x16C: FormatString("(%d) SCS_CALL", value);
- case 0x16D: FormatString("(%d) SCS_VALUE", value);
- case 0x16E: FormatString("(%d) VIO_WAIT_FLAG", value);
- case 0x16F: FormatString("(%d) VIO_UNLOCK", value);
- case 0x170: FormatString("(%d) SGS_NOT_SESSION_MGR", value);
- case 0x171: FormatString("(%d) SMG_INVALID_SESSION_ID", value);
- case 0x172: FormatString("(%d) SMG_NO_SESSIONS", value);
- case 0x173: FormatString("(%d) SMG_SESSION_NOT_FOUND", value);
- case 0x174: FormatString("(%d) SMG_SET_TITLE", value);
- case 0x175: FormatString("(%d) KBD_PARAMETER", value);
- case 0x176: FormatString("(%d) KBD_NO_DEVICE", value);
- case 0x177: FormatString("(%d) KBD_INVALID_IOWAIT", value);
- case 0x178: FormatString("(%d) KBD_INVALID_LENGTH", value);
- case 0x179: FormatString("(%d) KBD_INVALID_ECHO_MASK", value);
- case 0x17A: FormatString("(%d) KBD_INVALID_INPUT_MASK", value);
- case 0x17B: FormatString("(%d) MON_INVALID_PARMS", value);
- case 0x17C: FormatString("(%d) MON_INVALID_DEVNAME", value);
- case 0x17D: FormatString("(%d) MON_INVALID_HANDLE", value);
- case 0x17E: FormatString("(%d) MON_BUFFER_TOO_SMALL", value);
- case 0x17F: FormatString("(%d) MON_BUFFER_EMPTY", value);
- case 0x180: FormatString("(%d) MON_DATA_TOO_LARGE", value);
- case 0x181: FormatString("(%d) MOUSE_NO_DEVICE", value);
- case 0x182: FormatString("(%d) MOUSE_INV_HANDLE", value);
- case 0x183: FormatString("(%d) MOUSE_INV_PARMS", value);
- case 0x184: FormatString("(%d) MOUSE_CANT_RESET", value);
- case 0x185: FormatString("(%d) MOUSE_DISPLAY_PARMS", value);
- case 0x186: FormatString("(%d) MOUSE_INV_MODULE", value);
- case 0x187: FormatString("(%d) MOUSE_INV_ENTRY_PT", value);
- case 0x188: FormatString("(%d) MOUSE_INV_MASK", value);
- case 0x189: FormatString("(%d) NO_MOUSE_NO_DATA", value);
- case 0x18A: FormatString("(%d) NO_MOUSE_PTR_DRAWN", value);
- case 0x18B: FormatString("(%d) INVALID_FREQUENCY", value);
- case 0x18C: FormatString("(%d) NLS_NO_COUNTRY_FILE", value);
- case 0x18D: FormatString("(%d) NLS_OPEN_FAILED", value);
- case 0x18E: FormatString("(%d) NO_COUNTRY_OR_CODEPAGE", value);
- case 0x18F: FormatString("(%d) NLS_TABLE_TRUNCATED", value);
- case 0x190: FormatString("(%d) NLS_BAD_TYPE", value);
- case 0x191: FormatString("(%d) NLS_TYPE_NOT_FOUND", value);
- case 0x192: FormatString("(%d) VIO_SMG_ONLY", value);
- case 0x193: FormatString("(%d) VIO_INVALID_ASCIIZ", value);
- case 0x194: FormatString("(%d) VIO_DEREGISTER", value);
- case 0x195: FormatString("(%d) VIO_NO_POPUP", value);
- case 0x196: FormatString("(%d) VIO_EXISTING_POPUP", value);
- case 0x197: FormatString("(%d) KBD_SMG_ONLY", value);
- case 0x198: FormatString("(%d) KBD_INVALID_ASCIIZ", value);
- case 0x199: FormatString("(%d) KBD_INVALID_MASK", value);
- case 0x19A: FormatString("(%d) KBD_REGISTER", value);
- case 0x19B: FormatString("(%d) KBD_DEREGISTER", value);
- case 0x19C: FormatString("(%d) MOUSE_SMG_ONLY", value);
- case 0x19D: FormatString("(%d) MOUSE_INVALID_ASCIIZ", value);
- case 0x19E: FormatString("(%d) MOUSE_INVALID_MASK", value);
- case 0x19F: FormatString("(%d) MOUSE_REGISTER", value);
- case 0x1A0: FormatString("(%d) MOUSE_DEREGISTER", value);
- case 0x1A1: FormatString("(%d) SMG_BAD_ACTION", value);
- case 0x1A2: FormatString("(%d) SMG_INVALID_CALL", value);
- case 0x1A3: FormatString("(%d) SCS_SG_NOTFOUND", value);
- case 0x1A4: FormatString("(%d) SCS_NOT_SHELL", value);
- case 0x1A5: FormatString("(%d) VIO_INVALID_PARMS", value);
- case 0x1A6: FormatString("(%d) VIO_FUNCTION_OWNED", value);
- case 0x1A7: FormatString("(%d) VIO_RETURN", value);
- case 0x1A8: FormatString("(%d) SCS_INVALID_FUNCTION", value);
- case 0x1A9: FormatString("(%d) SCS_NOT_SESSION_MGR", value);
- case 0x1AA: FormatString("(%d) VIO_REGISTER", value);
- case 0x1AB: FormatString("(%d) VIO_NO_MODE_THREAD", value);
- case 0x1AC: FormatString("(%d) VIO_NO_SAVE_RESTORE_THD", value);
- case 0x1AD: FormatString("(%d) VIO_IN_BG", value);
- case 0x1AE: FormatString("(%d) VIO_ILLEGAL_DURING_POPUP", value);
- case 0x1AF: FormatString("(%d) SMG_NOT_BASESHELL", value);
- case 0x1B0: FormatString("(%d) SMG_BAD_STATUSREQ", value);
- case 0x1B1: FormatString("(%d) QUE_INVALID_WAIT", value);
- case 0x1B2: FormatString("(%d) VIO_LOCK", value);
- case 0x1B3: FormatString("(%d) MOUSE_INVALID_IOWAIT", value);
- case 0x1B4: FormatString("(%d) VIO_INVALID_HANDLE", value);
- case 0x1B5: FormatString("(%d) VIO_ILLEGAL_DURING_LOCK", value);
- case 0x1B6: FormatString("(%d) VIO_INVALID_LENGTH", value);
- case 0x1B7: FormatString("(%d) KBD_INVALID_HANDLE", value);
- case 0x1B8: FormatString("(%d) KBD_NO_MORE_HANDLE", value);
- case 0x1B9: FormatString("(%d) KBD_CANNOT_CREATE_KCB", value);
- case 0x1BA: FormatString("(%d) KBD_CODEPAGE_LOAD_INCOMPL", value);
- case 0x1BB: FormatString("(%d) KBD_INVALID_CODEPAGE_ID", value);
- case 0x1BC: FormatString("(%d) KBD_NO_CODEPAGE_SUPPORT", value);
- case 0x1BD: FormatString("(%d) KBD_FOCUS_REQUIRED", value);
- case 0x1BE: FormatString("(%d) KBD_FOCUS_ALREADY_ACTIVE", value);
- case 0x1BF: FormatString("(%d) KBD_KEYBOARD_BUSY", value);
- case 0x1C0: FormatString("(%d) KBD_INVALID_CODEPAGE", value);
- case 0x1C1: FormatString("(%d) KBD_UNABLE_TO_FOCUS", value);
- case 0x1C2: FormatString("(%d) SMG_SESSION_NON_SELECT", value);
- case 0x1C3: FormatString("(%d) SMG_SESSION_NOT_FOREGRND", value);
- case 0x1C4: FormatString("(%d) SMG_SESSION_NOT_PARENT", value);
- case 0x1C5: FormatString("(%d) SMG_INVALID_START_MODE", value);
- case 0x1C6: FormatString("(%d) SMG_INVALID_RELATED_OPT", value);
- case 0x1C7: FormatString("(%d) SMG_INVALID_BOND_OPTION", value);
- case 0x1C8: FormatString("(%d) SMG_INVALID_SELECT_OPT", value);
- case 0x1C9: FormatString("(%d) SMG_START_IN_BACKGROUND", value);
- case 0x1CA: FormatString("(%d) SMG_INVALID_STOP_OPTION", value);
- case 0x1CB: FormatString("(%d) SMG_BAD_RESERVE", value);
- case 0x1CC: FormatString("(%d) SMG_PROCESS_NOT_PARENT", value);
- case 0x1CD: FormatString("(%d) SMG_INVALID_DATA_LENGTH", value);
- case 0x1CE: FormatString("(%d) SMG_NOT_BOUND", value);
- case 0x1CF: FormatString("(%d) SMG_RETRY_SUB_ALLOC", value);
- case 0x1D0: FormatString("(%d) KBD_DETACHED", value);
- case 0x1D1: FormatString("(%d) VIO_DETACHED", value);
- case 0x1D2: FormatString("(%d) MOU_DETACHED", value);
- case 0x1D3: FormatString("(%d) VIO_FONT", value);
- case 0x1D4: FormatString("(%d) VIO_USER_FONT", value);
- case 0x1D5: FormatString("(%d) VIO_BAD_CP", value);
- case 0x1D6: FormatString("(%d) VIO_NO_CP", value);
- case 0x1D7: FormatString("(%d) VIO_NA_CP", value);
- case 0x1D8: FormatString("(%d) INVALID_CODE_PAGE", value);
- case 0x1D9: FormatString("(%d) CPLIST_TOO_SMALL", value);
- case 0x1DA: FormatString("(%d) CP_NOT_MOVED", value);
- case 0x1DB: FormatString("(%d) MODE_SWITCH_INIT", value);
- case 0x1DC: FormatString("(%d) CODE_PAGE_NOT_FOUND", value);
- case 0x1DD: FormatString("(%d) UNEXPECTED_SLOT_RETURNED", value);
- case 0x1DE: FormatString("(%d) SMG_INVALID_TRACE_OPTION", value);
- case 0x1DF: FormatString("(%d) VIO_INTERNAL_RESOURCE", value);
- case 0x1E0: FormatString("(%d) VIO_SHELL_INIT", value);
- case 0x1E1: FormatString("(%d) SMG_NO_HARD_ERRORS", value);
- case 0x1E2: FormatString("(%d) CP_SWITCH_INCOMPLETE", value);
- case 0x1E3: FormatString("(%d) VIO_TRANSPARENT_POPUP", value);
- case 0x1E4: FormatString("(%d) CRITSEC_OVERFLOW", value);
- case 0x1E5: FormatString("(%d) CRITSEC_UNDERFLOW", value);
- case 0x1E6: FormatString("(%d) VIO_BAD_RESERVE", value);
- case 0x1E7: FormatString("(%d) INVALID_ADDRESS", value);
- case 0x1E8: FormatString("(%d) ZERO_SELECTORS_REQUESTED", value);
- case 0x1E9: FormatString("(%d) NOT_ENOUGH_SELECTORS_AVA", value);
- case 0x1EA: FormatString("(%d) INVALID_SELECTOR", value);
- case 0x1EB: FormatString("(%d) SMG_INVALID_PROGRAM_TYPE", value);
- case 0x1EC: FormatString("(%d) SMG_INVALID_PGM_CONTROL", value);
- case 0x1ED: FormatString("(%d) SMG_INVALID_INHERIT_OPT", value);
- case 0x1EE: FormatString("(%d) VIO_EXTENDED_SG", value);
- case 0x1EF: FormatString("(%d) VIO_NOT_PRES_MGR_SG", value);
- case 0x1F0: FormatString("(%d) VIO_SHIELD_OWNED", value);
- case 0x1F1: FormatString("(%d) VIO_NO_MORE_HANDLES", value);
- case 0x1F2: FormatString("(%d) VIO_SEE_LOG", value);
- case 0x1F3: FormatString("(%d) VIO_ASSOCIATED_DC", value);
- case 0x1F4: FormatString("(%d) KBD_NO_CONSOLE", value);
- case 0x1F5: FormatString("(%d) MOUSE_NO_CONSOLE", value);
- case 0x1F6: FormatString("(%d) MOUSE_INVALID_HANDLE", value);
- case 0x1F7: FormatString("(%d) SMG_INVALID_DEBUG_PARMS", value);
- case 0x1F8: FormatString("(%d) KBD_EXTENDED_SG", value);
- case 0x1F9: FormatString("(%d) MOU_EXTENDED_SG", value);
- case 0x1FA: FormatString("(%d) SMG_INVALID_ICON_FILE", value);
- case 0x216: FormatString("(%d) ARITHMETIC_OVERFLOW", value);
- case 0x217: FormatString("(%d) PIPE_CONNECTED", value);
- case 0x218: FormatString("(%d) PIPE_LISTENING", value);
- case 0x258: FormatString("(%d) PENDING", value);
- case 0x259: FormatString("(%d) INVALID_PORT_HANDLE", value);
- case 0x25A: FormatString("(%d) PORT_ALREADY_OPEN", value);
- case 0x25B: FormatString("(%d) BUFFER_TOO_SMALL", value);
- case 0x25C: FormatString("(%d) WRONG_INFO_SPECIFIED", value);
- case 0x25D: FormatString("(%d) CANNOT_SET_PORT_INFO", value);
- case 0x25E: FormatString("(%d) PORT_NOT_CONNECTED", value);
- case 0x25F: FormatString("(%d) EVENT_INVALID", value);
- case 0x260: FormatString("(%d) DEVICE_DOES_NOT_EXIST", value);
- case 0x261: FormatString("(%d) DEVICETYPE_DOES_NOT_EXIST", value);
- case 0x262: FormatString("(%d) BUFFER_INVALID", value);
- case 0x263: FormatString("(%d) ROUTE_NOT_AVAILABLE", value);
- case 0x264: FormatString("(%d) ROUTE_NOT_ALLOCATED", value);
- case 0x265: FormatString("(%d) INVALID_COMPRESSION_SPECIFIED", value);
- case 0x266: FormatString("(%d) OUT_OF_BUFFERS", value);
- case 0x267: FormatString("(%d) PORT_NOT_FOUND", value);
- case 0x268: FormatString("(%d) ASYNC_REQUEST_PENDING", value);
- case 0x269: FormatString("(%d) ALREADY_DISCONNECTING", value);
- case 0x26A: FormatString("(%d) PORT_NOT_OPEN", value);
- case 0x26B: FormatString("(%d) PORT_DISCONNECTED", value);
- case 0x26C: FormatString("(%d) NO_ENDPOINTS", value);
- case 0x26D: FormatString("(%d) CANNOT_OPEN_PHONEBOOK", value);
- case 0x26E: FormatString("(%d) CANNOT_LOAD_PHONEBOOK", value);
- case 0x26F: FormatString("(%d) CANNOT_FIND_PHONEBOOK_ENTRY", value);
- case 0x270: FormatString("(%d) CANNOT_WRITE_PHONEBOOK", value);
- case 0x271: FormatString("(%d) CORRUPT_PHONEBOOK", value);
- case 0x272: FormatString("(%d) CANNOT_LOAD_STRING", value);
- case 0x273: FormatString("(%d) KEY_NOT_FOUND", value);
- case 0x274: FormatString("(%d) DISCONNECTION", value);
- case 0x275: FormatString("(%d) REMOTE_DISCONNECTION", value);
- case 0x276: FormatString("(%d) HARDWARE_FAILURE", value);
- case 0x277: FormatString("(%d) USER_DISCONNECTION", value);
- case 0x278: FormatString("(%d) INVALID_SIZE", value);
- case 0x279: FormatString("(%d) PORT_NOT_AVAILABLE", value);
- case 0x27A: FormatString("(%d) CANNOT_PROJECT_CLIENT", value);
- case 0x27B: FormatString("(%d) UNKNOWN", value);
- case 0x27C: FormatString("(%d) WRONG_DEVICE_ATTACHED", value);
- case 0x27D: FormatString("(%d) BAD_STRING", value);
- case 0x27E: FormatString("(%d) REQUEST_TIMEOUT", value);
- case 0x27F: FormatString("(%d) CANNOT_GET_LANA", value);
- case 0x280: FormatString("(%d) NETBIOS_ERROR", value);
- case 0x281: FormatString("(%d) SERVER_OUT_OF_RESOURCES", value);
- case 0x282: FormatString("(%d) NAME_EXISTS_ON_NET", value);
- case 0x283: FormatString("(%d) SERVER_GENERAL_NET_FAILURE", value);
- case 0x284: FormatString("(%d) WARNING_MSG_ALIAS_NOT_ADDED", value);
- case 0x285: FormatString("(%d) AUTH_INTERNAL", value);
- case 0x286: FormatString("(%d) RESTRICTED_LOGON_HOURS", value);
- case 0x287: FormatString("(%d) ACCT_DISABLED", value);
- case 0x288: FormatString("(%d) PASSWD_EXPIRED", value);
- case 0x289: FormatString("(%d) NO_DIALIN_PERMISSION", value);
- case 0x28A: FormatString("(%d) SERVER_NOT_RESPONDING", value);
- case 0x28B: FormatString("(%d) FROM_DEVICE", value);
- case 0x28C: FormatString("(%d) UNRECOGNIZED_RESPONSE", value);
- case 0x28D: FormatString("(%d) MACRO_NOT_FOUND", value);
- case 0x28E: FormatString("(%d) MACRO_NOT_DEFINED", value);
- case 0x28F: FormatString("(%d) MESSAGE_MACRO_NOT_FOUND", value);
- case 0x290: FormatString("(%d) DEFAULTOFF_MACRO_NOT_FOUND", value);
- case 0x291: FormatString("(%d) FILE_COULD_NOT_BE_OPENED", value);
- case 0x292: FormatString("(%d) DEVICENAME_TOO_LONG", value);
- case 0x293: FormatString("(%d) DEVICENAME_NOT_FOUND", value);
- case 0x294: FormatString("(%d) NO_RESPONSES", value);
- case 0x295: FormatString("(%d) NO_COMMAND_FOUND", value);
- case 0x296: FormatString("(%d) WRONG_KEY_SPECIFIED", value);
- case 0x297: FormatString("(%d) UNKNOWN_DEVICE_TYPE", value);
- case 0x298: FormatString("(%d) ALLOCATING_MEMORY", value);
- case 0x299: FormatString("(%d) PORT_NOT_CONFIGURED", value);
- case 0x29A: FormatString("(%d) DEVICE_NOT_READY", value);
- case 0x29B: FormatString("(%d) READING_INI_FILE", value);
- case 0x29C: FormatString("(%d) NO_CONNECTION", value);
- case 0x29D: FormatString("(%d) BAD_USAGE_IN_INI_FILE", value);
- case 0x29E: FormatString("(%d) READING_SECTIONNAME", value);
- case 0x29F: FormatString("(%d) READING_DEVICETYPE", value);
- case 0x2A0: FormatString("(%d) READING_DEVICENAME", value);
- case 0x2A1: FormatString("(%d) READING_USAGE", value);
- case 0x2A2: FormatString("(%d) READING_MAXCONNECTBPS", value);
- case 0x2A3: FormatString("(%d) READING_MAXCARRIERBPS", value);
- case 0x2A4: FormatString("(%d) LINE_BUSY", value);
- case 0x2A5: FormatString("(%d) VOICE_ANSWER", value);
- case 0x2A6: FormatString("(%d) NO_ANSWER", value);
- case 0x2A7: FormatString("(%d) NO_CARRIER", value);
- case 0x2A8: FormatString("(%d) NO_DIALTONE", value);
- case 0x2A9: FormatString("(%d) IN_COMMAND", value);
- case 0x2AA: FormatString("(%d) WRITING_SECTIONNAME", value);
- case 0x2AB: FormatString("(%d) WRITING_DEVICETYPE", value);
- case 0x2AC: FormatString("(%d) WRITING_DEVICENAME", value);
- case 0x2AD: FormatString("(%d) WRITING_MAXCONNECTBPS", value);
- case 0x2AE: FormatString("(%d) WRITING_MAXCARRIERBPS", value);
- case 0x2AF: FormatString("(%d) WRITING_USAGE", value);
- case 0x2B0: FormatString("(%d) WRITING_DEFAULTOFF", value);
- case 0x2B1: FormatString("(%d) READING_DEFAULTOFF", value);
- case 0x2B2: FormatString("(%d) EMPTY_INI_FILE", value);
- case 0x2B3: FormatString("(%d) AUTHENTICATION_FAILURE", value);
- case 0x2B4: FormatString("(%d) PORT_OR_DEVICE", value);
- case 0x2B5: FormatString("(%d) NOT_BINARY_MACRO", value);
- case 0x2B6: FormatString("(%d) DCB_NOT_FOUND", value);
- case 0x2B7: FormatString("(%d) STATE_MACHINES_NOT_STARTED", value);
- case 0x2B8: FormatString("(%d) STATE_MACHINES_ALREADY_STARTED", value);
- case 0x2B9: FormatString("(%d) PARTIAL_RESPONSE_LOOPING", value);
- case 0x2BA: FormatString("(%d) UNKNOWN_RESPONSE_KEY", value);
- case 0x2BB: FormatString("(%d) RECV_BUF_FULL", value);
- case 0x2BC: FormatString("(%d) CMD_TOO_LONG", value);
- case 0x2BD: FormatString("(%d) UNSUPPORTED_BPS", value);
- case 0x2BE: FormatString("(%d) UNEXPECTED_RESPONSE", value);
- case 0x2BF: FormatString("(%d) INTERACTIVE_MODE", value);
- case 0x2C0: FormatString("(%d) BAD_CALLBACK_NUMBER", value);
- case 0x2C1: FormatString("(%d) INVALID_AUTH_STATE", value);
- case 0x2C2: FormatString("(%d) WRITING_INITBPS", value);
- case 0x2C3: FormatString("(%d) X25_DIAGNOSTIC", value);
- case 0x2C4: FormatString("(%d) ACCT_EXPIRED", value);
- case 0x2C5: FormatString("(%d) CHANGING_PASSWORD", value);
- case 0x2C6: FormatString("(%d) OVERRUN", value);
- case 0x2C7: FormatString("(%d) RASMAN_CANNOT_INITIALIZE", value);
- case 0x2C8: FormatString("(%d) BIPLEX_PORT_NOT_AVAILABLE", value);
- case 0x2C9: FormatString("(%d) NO_ACTIVE_ISDN_LINES", value);
- case 0x2CA: FormatString("(%d) NO_ISDN_CHANNELS_AVAILABLE", value);
- case 0x2CB: FormatString("(%d) TOO_MANY_LINE_ERRORS", value);
- case 0x2CC: FormatString("(%d) IP_CONFIGURATION", value);
- case 0x2CD: FormatString("(%d) NO_IP_ADDRESSES", value);
- case 0x2CE: FormatString("(%d) PPP_TIMEOUT", value);
- case 0x2CF: FormatString("(%d) PPP_REMOTE_TERMINATED", value);
- case 0x2D0: FormatString("(%d) PPP_NO_PROTOCOLS_CONFIGURED", value);
- case 0x2D1: FormatString("(%d) PPP_NO_RESPONSE", value);
- case 0x2D2: FormatString("(%d) PPP_INVALID_PACKET", value);
- case 0x2D3: FormatString("(%d) PHONE_NUMBER_TOO_LONG", value);
- case 0x2D4: FormatString("(%d) IPXCP_NO_DIALOUT_CONFIGURED", value);
- case 0x2D5: FormatString("(%d) IPXCP_NO_DIALIN_CONFIGURED", value);
- case 0x2D6: FormatString("(%d) IPXCP_DIALOUT_ALREADY_ACTIVE", value);
- case 0x2D7: FormatString("(%d) ACCESSING_TCPCFGDLL", value);
- case 0x2D8: FormatString("(%d) NO_IP_RAS_ADAPTER", value);
- case 0x2D9: FormatString("(%d) SLIP_REQUIRES_IP", value);
- case 0x2DA: FormatString("(%d) PROJECTION_NOT_COMPLETE", value);
- case 0x2DB: FormatString("(%d) PROTOCOL_NOT_CONFIGURED", value);
- case 0x2DC: FormatString("(%d) PPP_NOT_CONVERGING", value);
- case 0x2DD: FormatString("(%d) PPP_CP_REJECTED", value);
- case 0x2DE: FormatString("(%d) PPP_LCP_TERMINATED", value);
- case 0x2DF: FormatString("(%d) PPP_REQUIRED_ADDRESS_REJECTED", value);
- case 0x2E0: FormatString("(%d) PPP_NCP_TERMINATED", value);
- case 0x2E1: FormatString("(%d) PPP_LOOPBACK_DETECTED", value);
- case 0x2E2: FormatString("(%d) PPP_NO_ADDRESS_ASSIGNED", value);
- case 0x2E3: FormatString("(%d) CANNOT_USE_LOGON_CREDENTIALS", value);
- case 0x2E4: FormatString("(%d) TAPI_CONFIGURATION", value);
- case 0x2E5: FormatString("(%d) NO_LOCAL_ENCRYPTION", value);
- case 0x2E6: FormatString("(%d) NO_REMOTE_ENCRYPTION", value);
- case 0x2E7: FormatString("(%d) REMOTE_REQUIRES_ENCRYPTION", value);
- case 0x2E8: FormatString("(%d) IPXCP_NET_NUMBER_CONFLICT", value);
- case 0x2E9: FormatString("(%d) INVALID_SMM", value);
- case 0x2EA: FormatString("(%d) SMM_UNINITIALIZED", value);
- case 0x2EB: FormatString("(%d) NO_MAC_FOR_PORT", value);
- case 0x2EC: FormatString("(%d) SMM_TIMEOUT", value);
- case 0x2ED: FormatString("(%d) BAD_PHONE_NUMBER", value);
- case 0x2EE: FormatString("(%d) WRONG_MODULE", value);
- case 0x2EF: FormatString("(%d) INVALID_CALLBACK_NUMBER", value);
- case 0x2F0: FormatString("(%d) SCRIPT_SYNTAX", value);
- case 0x76D: FormatString("(%d) INVALID_TIME", value);
- case 0x76E: FormatString("(%d) INVALID_FORM_NAME", value);
- case 0x76F: FormatString("(%d) INVALID_FORM_SIZE", value);
- case 0x770: FormatString("(%d) ALREADY_WAITING", value);
- case 0x771: FormatString("(%d) PRINTER_DELETED", value);
- case 0x772: FormatString("(%d) INVALID_PRINTER_STATE", value);
- case 0x773: FormatString("(%d) PASSWORD_MUST_CHANGE", value);
- case 0x774: FormatString("(%d) DOMAIN_CONTROLLER_NOT_FOUND", value);
- case 0x775: FormatString("(%d) ACCOUNT_LOCKED_OUT", value);
- case 0x842: FormatString("(%d) ServerNotStarted", value);
- case 0x843: FormatString("(%d) ItemNotFound", value);
- case 0x844: FormatString("(%d) UnknownDevDir", value);
- case 0x845: FormatString("(%d) RedirectedPath", value);
- case 0x846: FormatString("(%d) DuplicateShare", value);
- case 0x847: FormatString("(%d) NoRoom", value);
- case 0x849: FormatString("(%d) TooManyItems", value);
- case 0x84A: FormatString("(%d) InvalidMaxUsers", value);
- case 0x84B: FormatString("(%d) BufTooSmall", value);
- case 0x84F: FormatString("(%d) RemoteErr", value);
- case 0x853: FormatString("(%d) LanmanIniError", value);
- case 0x856: FormatString("(%d) OS2IoctlError", value);
- case 0x858: FormatString("(%d) NetworkError", value);
- case 0x85A: FormatString("(%d) WkstaNotStarted", value);
- case 0x85B: FormatString("(%d) BrowserNotStarted", value);
- case 0x85C: FormatString("(%d) InternalError", value);
- case 0x85D: FormatString("(%d) BadTransactConfig", value);
- case 0x85E: FormatString("(%d) InvalidAPI", value);
- case 0x85F: FormatString("(%d) BadEventName", value);
- default: FormatString("(%d) Unknown", value);
- }
- }
-
- Table SMBErrorCodesERRSRVTable(value)
- {
- switch(value)
- {
- case 1: FormatString("(%d) Non-specific error code", value);
- case 2: FormatString("(%d) Bad name/password pair", value);
- case 3: FormatString("(%d) DFS PATH_NOT_FOUND", value);
- case 4: FormatString("(%d) Network access denied", value);
- case 5: FormatString("(%d) Invalid tree identifier (TID)", value);
- case 6: FormatString("(%d) Invalid network name in tree connect", value);
- case 7: FormatString("(%d) Invalid device type", value);
- case 16: FormatString("(%d) Bad SID", value);
- case 17: FormatString("(%d) Working...", value);
- case 18: FormatString("(%d) NOT Me", value);
- case 49: FormatString("(%d) Print queue full--returned print file", value);
- case 50: FormatString("(%d) Print queue full--no space", value);
- case 51: FormatString("(%d) End of print queue list", value);
- case 52: FormatString("(%d) Invalid print file identifier (FID)", value);
- case 64: FormatString("(%d) SMB command NOT recognized", value);
- case 65: FormatString("(%d) Internal server error", value);
- case 67: FormatString("(%d) File identifier and pathname were invalid", value);
- case 68: FormatString("(%d) Reserved", value);
- case 69: FormatString("(%d) Insufficient access permissions", value);
- case 70: FormatString("(%d) Reserved", value);
- case 71: FormatString("(%d) Invalid attribute mode specified", value);
- case 81: FormatString("(%d) Server is paused", value);
- case 82: FormatString("(%d) Server is NOT receiving messages", value);
- case 83: FormatString("(%d) No room to buffer message", value);
- case 87: FormatString("(%d) Too many remote user names", value);
- case 88: FormatString("(%d) Operation timed out", value);
- case 89: FormatString("(%d) No resources available for request", value);
- case 90: FormatString("(%d) Too many user identifiers active in session", value);
- case 91: FormatString("(%d) Invalid user identifier", value);
- case 123: FormatString("(%d) Invalid name returned from FAT", value);
- case 206: FormatString("(%d) Non 8.3 name passed to FAT (or non 255 name to HPFS)", value);
- case 250: FormatString("(%d) Can't support Raw; use MPX", value);
- case 251: FormatString("(%d) Can't support Raw, use core read and write", value);
- case 252: FormatString("(%d) Continue in MPX mode", value);
- case 253: FormatString("(%d) Reserved", value);
- case 254: FormatString("(%d) Reserved", value);
- case 255: FormatString("(%d) Function NOT supported", value);
- case 2242: FormatString("(%d) Password Expired", value);
- case 0xFFFF: FormatString("(%d) Function NOT supported", value);
- default: FormatString("(%d) Unknown", value);
- }
- }
-
- Table SMBErrorCodesERRHRDTable(value)
- {
- switch(value)
- {
- case 0x0013: FormatString("(%d) Write attempted on write-protected disk", value);
- case 0x0014: FormatString("(%d) Unknown unit", value);
- case 0x0015: FormatString("(%d) Disk drive NOT ready", value);
- case 0x0016: FormatString("(%d) Unknown command", value);
- case 0x0017: FormatString("(%d) Data error (CRC)", value);
- case 0x0018: FormatString("(%d) Bad request structure length", value);
- case 0x0019: FormatString("(%d) Seek error", value);
- case 0x001A: FormatString("(%d) Unknown media type", value);
- case 0x001B: FormatString("(%d) Sector NOT found", value);
- case 0x001C: FormatString("(%d) Printer out of paper", value);
- case 0x001D: FormatString("(%d) Write fault", value);
- case 0x001E: FormatString("(%d) Read fault", value);
- case 0x001F: FormatString("(%d) General failure", value);
- case 0x0020: FormatString("(%d) A open conflicts with an existing open", value);
- case 0x0021: FormatString("(%d) Lock conflicts with existing lock", value);
- case 0x0022: FormatString("(%d) Wrong disk was found in a drive", value);
- case 0x0023: FormatString("(%d) No FCBs available to process request", value);
- case 0x0024: FormatString("(%d) Buffer overflow", value);
- case 0x0025: FormatString("(%d) Disk full", value);
- default: FormatString("(%d) Unknown", value);
- }
- }
-
- Table SMBCreateActionTable(value)
- {
- switch(value)
- {
- case 0: "FILE_SUPERSEDED";
- case 1: "FILE_OPENED";
- case 2: "FILE_CREATED";
- case 3: "FILE_OVERWRITTEN";
- default: FormatString("(%d) Unknown", value);
- }
- }
-
- Table SMBCommandTable(value)
- {
- //SMB_COM_CREATE_DIRECTORY (0x00)
- //SMB_COM_DELETE_DIRECTORY (0x01)
- //SMB_COM_OPEN (0x02)
- //SMB_COM_CREATE (0x03)
- //SMB_COM_CLOSE (0x04)
- //SMB_COM_FLUSH (0x05)
- //SMB_COM_DELETE (0x06)
- //SMB_COM_RENAME (0x07)
- //SMB_COM_QUERY_INFORMATION (0x08)
- //SMB_COM_SET_INFORMATION (0x09)
- //SMB_COM_READ (0x0A)
- //SMB_COM_WRITE (0x0B)
- //SMB_COM_LOCK_BYTE_RANGE (0x0C)
- //SMB_COM_UNLOCK_BYTE_RANGE (0x0D)
- //SMB_COM_CREATE_TEMPORARY (0x0E)
- //SMB_COM_CREATE_NEW (0x0F)
- //SMB_COM_CHECK_DIRECTORY (0x10)
- //SMB_COM_PROCESS_EXIT (0x11)
- //SMB_COM_SEEK (0x12)
- //SMB_COM_LOCK_AND_READ (0x13)
- //SMB_COM_WRITE_AND_UNLOCK (0x14)
- //SMB_COM_READ_RAW (0x1A)
- //SMB_COM_READ_MPX (0x1B)
- //SMB_COM_READ_MPX_SECONDARY (0x1C)
- //SMB_COM_WRITE_RAW (0x1D)
- //SMB_COM_WRITE_MPX (0x1E)
- //SMB_COM_WRITE_MPX_SECONDARY (0x1F)
- //SMB_COM_WRITE_COMPLETE (0x20)
- //SMB_COM_SET_INFORMATION2 (0x22)
- //SMB_COM_QUERY_INFORMATION2 (0x23)
- //SMB_COM_LOCKING_ANDX (0x24)
- //SMB_COM_TRANSACTION (0x25)
- //SMB_COM_TRANSACTION_SECONDARY (0x26)
- //SMB_COM_IOCTL (0x27)
- //SMB_COM_IOCTL_SECONDARY (0x28)
- //SMB_COM_COPY (0x29)
- //SMB_COM_MOVE (0x2A)
- //SMB_COM_ECHO (0x2B)
- //SMB_COM_WRITE_AND_CLOSE (0x2C)
- //SMB_COM_OPEN_ANDX (0x2D)
- //SMB_COM_READ_ANDX (0x2E)
- //SMB_COM_WRITE_ANDX (0x2F)
- //SMB_COM_CLOSE_AND_TREE_DISC (0x31)
- //SMB_COM_TRANSACTION2 (0x32)
- //SMB_COM_TRANSACTION2_SECONDARY (0x33)
- //SMB_COM_FIND_CLOSE2 (0x34)
- //SMB_COM_FIND_NOTIFY_CLOSE (0x35)
- //SMB_COM_TREE_CONNECT (0x70)
- //SMB_COM_TREE_DISCONNECT (0x71)
- //SMB_COM_NEGOTIATE (0x72)
- //SMB_COM_SESSION_SETUP_ANDX (0x73)
- //SMB_COM_LOGOFF_ANDX (0x74)
- //SMB_COM_TREE_CONNECT_ANDX (0x75)
- //SMB_COM_QUERY_INFORMATION_DISK (0x80)
- //SMB_COM_SEARCH (0x81)
- //SMB_COM_FIND (0x82)
- //SMB_COM_FIND_UNIQUE (0x83)
- //SMB_COM_FIND_CLOSE ( 0x84)
- //SMB_COM_NT_TRANSACTION (0xA0)
- //SMB_COM_NT_TRANSACTION_SECONDARY (0xA1)
- //SMB_COM_NT_CREATE_ANDX (0xA2)
- //SMB_COM_NT_CANCEL (0xA4)
- //SMB_COM_NT_RENAME (0xA5)
- //SMB_COM_OPEN_PRINT_FILE (0xC0)
- //SMB_COM_WRITE_PRINT_FILE (0xC1)
- //SMB_COM_CLOSE_PRINT_FILE (0xC2)
- //SMB_COM_GET_PRINT_QUEUE (0xC3)
- //SMB_COM_SEND_MESSAGE (0xD0)
- //SMB_COM_SEND_BROADCAST_MESSAGE (0xD1)
- //SMB_COM_FORWARD_USER_NAME (0xD2)
- //SMB_COM_CANCEL_FORWARD (0xD3)
- //SMB_COM_GET_MACHINE_NAME (0xD4)
- //SMB_COM_SEND_START_MB_MESSAGE (OxD5)
- //SMB_COM_SEND_END_MB_MESSAGE (0xD6)
- //SMB_COM_SEND_TEXT_MB_MESSAGE (0xD7)
- //SMB_COM_READ_BULK (0xD8)
- //SMB_COM_WRITE_BULK (0xD9)
- //SMB_COM_WRITE_BULK_DATA (0xDA)
- switch
- {
- case value == 0x00: "Create Directory";
- case value == 0x01: "Delete Directory";
- case value == 0x02: "Open";
- case value == 0x03: "Create";
- case value == 0x04: "Close";
- case value == 0x05: "Flush";
- case value == 0x06: "Delete";
- case value == 0x07: "Rename";
- case value == 0x08: "Query Information";
- case value == 0x09: "Set Information";
- case value == 0x0A: "Read";
- case value == 0x0B: "Write";
- case value == 0x0C: "Lock Byte Range";
- case value == 0x0D: "Unlock Byte Range";
- case value == 0x0E: "Create Temporary";
- case value == 0x0F: "Create New";
- case value == 0x10: "Check Directory";
- case value == 0x11: "Process Exit";
- case value == 0x12: "Seek";
- case value == 0x13: "Lock And Read";
- case value == 0x14: "Write And Unlock";
- case value >= 0x15 && value <= 0x19: "Unused";
- case value == 0x1A: "Read Raw";
- case value == 0x1B: "Read MPX";
- case value == 0x1C: "Read MPX Secondary";
- case value == 0x1D: "Write Raw";
- case value == 0x1E: "Write Mpx";
- case value == 0x1F: "Write MPX Secondary";
- case value == 0x20: "Write Complete";
- case value == 0x21: "Query Server";
- case value == 0x22: "Set Information2";
- case value == 0x23: "Query Information2";
- case value == 0x24: "Locking Andx";
- case value == 0x25: "Transaction";
- case value == 0x26: "Transaction Secondary";
- case value == 0x27: "IOCTL";
- case value == 0x28: "IOCTL Secondary";
- case value == 0x29: "Copy";
- case value == 0x2A: "Move";
- case value == 0x2B: "Echo";
- case value == 0x2C: "Write And Close";
- case value == 0x2D: "Open Andx";
- case value == 0x2E: "Read Andx";
- case value == 0x2F: "Write Andx";
- case value == 0x30: "New File Size";
- case value == 0x31: "Close And Tree Disconnect";
- case value == 0x32: "Transact2";
- case value == 0x33: "Transact2 Secondary";
- case value == 0x34: "Find Close2";
- case value == 0x35: "Find Notify Close";
- case value >= 0x36 && value <=0x5f: "Unused";
- case value >= 0x60 && value <=0x6f: "Reserved";
- case value == 0x70: "Tree Connect";
- case value == 0x71: "Tree Disconnect";
- case value == 0x72: "Negotiate";
- case value == 0x73: "Session Setup Andx";
- case value == 0x74: "Logoff Andx";
- case value == 0x75: "Tree Connect Andx";
- case value >= 0x76 && value <= 0x7d: "Unused ";
- case value == 0x7e: "Security Package Andx";
- case value == 0x7f: "Unused";
- case value == 0x80: "Query Information Disk";
- case value == 0x81: "Search";
- case value == 0x82: "Find";
- case value == 0x83: "Find Unique";
- case value == 0x84: "Find Close";
- case value>=0x85 && value <= 0x9f: "Unused";
- case value == 0xa0: "Nt Transact";
- case value == 0xa1: "Nt Transact Secondary";
- case value == 0xa2: "Nt Create Andx";
- case value == 0xa3: "Unused";
- case value == 0xa4: "Nt Cancel";
- case value == 0xa5: "Nt Rename";
- case value >= 0xa6 && value <=0xbf: "Unused";
- case value == 0xc0: "Open Print File";
- case value == 0xC1: "Write Print File";
- case value == 0xC2: "Close Print File";
- case value == 0xC3: "Get Print Queue";
- case value >= 0xC4 && value <=0xcf: "Unused";
- case value == 0xD0: "Send Single Block Message";
- case value == 0xD1: "Send Broadcast Message";
- case value == 0xD2: "Forward User Name";
- case value == 0xD3: "Cancel Forward";
- case value == 0xD4: "Get Machine Name";
- case value == 0xD5: "Send Start of Multi-Block Message";
- case value == 0xD6: "Send End of Multi-Block Message";
- case value == 0xD7: "Send Text of Multi-Block Message";
- case value == 0xD8: "SMB Read Bulk";
- case value == 0xD9: "SMB Write Bulk";
- case value == 0xDA: "SMB Write Bulk Data";
- case value == 0xFE: "SMB COM INVALID";
- case value == 0xFF: "No Secondary Command";
- default: FormatString("Invalid value: %d",value);
- }
- }
-
- Table SMBErrorCodesTable(errClass, errCode)
- {
- switch(errClass)
- {
- case 0x00: "No Error";
- case 0x01: SMBErrorCodesERRDOSTable(errCode);
- case 0x02: SMBErrorCodesERRSRVTable(errCode);
- case 0x03: SMBErrorCodesERRHRDTable(errCode);
- case 0xFF: FormatString("(%d) Unknown", errCode);
- default: FormatString("(%d) Unknown", errCode);
- }
- }
-
- Table SMBNTCreateDisposition(value)
- {
- switch(value)
- {
- case 0: "FILE_SUPERSEDE: If the file exists, replace it with the given file, otherwise create the given file.";
- case 1: "FILE_OPEN: If the file exists, open it instead of creating a new file, otherwise fail the request and do NOT create a new file.";
- case 2: "FILE_CREATE: If the file exists, fail the request and do NOT create or open the given file, otherwise create the given file.";
- case 3: "FILE_OPEN_IF: If the file exists, open it, otherwise create the given file.";
- case 4: "FILE_OVERWRITE: If the file exists, open and overwrite it, otherwise fail the request.";
- case 5: "FILE_OVERWRITE_IF: If the file exists, open and overwrite it, otherwise create the given file.";
- default: FormatString("Invalid value: %d",value);
- }
- }
-
- Table SMBNTCreateAction(value)
- {
- //
- // RESP_NT_CREATE_ANDX
- // RESP_EXTENDED_NT_CREATE_ANDX,
- // RESP_CREATE_WITH_SD_OR_EA
- // RESP_EXTENDED_NT_CREATE_ANDX2
- // ULONG CreateAction
- //
- switch(value)
- {
- case 0: "FILE_SUPERSEDED: The file already existed, and was replaced with the given file.";
- case 1: "FILE_OPENED: The file already existed and was opened.";
- case 2: "FILE_CREATED: The file did NOT exist and was created.";
- case 3: "FILE_OVERWRITTEN: The file already existed and was truncated.";
- case 4: "FILE_EXISTS: The file exists and was opened.";
- case 5: "FILE_DOES_NOT_EXIST: The file does NOT exist.";
- default: FormatString("Invalid value: %d",value);
- }
- }
-
-
- Table SMBNTImpersonationLevelTable(value)
- {
- switch(value)
- {
- case 0 : "Anonymous";
- case 1 : "Identification";
- case 2 : "Impersonation";
- case 3 : "Delegation";
- default: FormatString("Unknown impersonation");
- }
- }
-
- Table SMBOplockTable(value)
- {
- switch(value)
- {
- case 0: "No oplock granted";
- case 1: "Exclusive oplock";
- case 2: "Batch oplock";
- case 3: "Level II oplock";
- default: FormatString("%d",value);
- }
- }
-
- Table SMBFileAccessModeTable(mode)
- {
- switch(mode)
- {
- case 0: "Open for reading";
- case 1: "Open for writing";
- case 2: "Open for reading and writing";
- case 3: "Open for execute";
- default: "unhandled FileAccessMode";
- }
- }
-
- Table SMBFileSharingModeTable(mode)
- {
- switch(mode)
- {
- case 0: "Compatibility mode";
- case 1: "Deny read/write/execute (exclusive)";
- case 2: "Deny write";
- case 3: "Deny read/execute";
- case 4: "Deny none";
- default: "unhandled FileSharingMode";
- }
- }
-
- Table SMBFileLocalityOfReferenceTable(mode)
- {
- switch(mode)
- {
- case 0: "Locality unknown";
- case 1: "Mainly sequential access";
- case 2: "Mainly random access";
- case 3: "Random access with some locally";
- default: "Currently undefined";
- }
- }
-
- Table SMBDeviceStateReadModeTable(value)
- {
- switch(value)
- {
- case 0: "Read pipe as a byte stream";
- case 1: "Read messages from pipe";
- default: "Unknown read mode";
- }
- }
-
- Table SMBDeviceStatePipeTypeTable(value)
- {
- switch(value)
- {
- case 0: "Byte stream pipe";
- case 1: "Message mode pipe";
- default: "Unknown pipe type";
- }
- }
-
- Table SMBBufferStringFormatsTable(format)
- {
- switch(format)
- {
- case 1: FormatString("Data block %d(%#x)", format, format);
- case 2: FormatString("Dialect %d(%#x)", format, format);
- case 3: FormatString("Pathname %d(%#x)", format, format);
- case 4: FormatString("ASCII %d(%#x)", format, format);
- case 5: FormatString("Variable block %d(%#x)", format, format);
- default: FormatString("Undefined Format %d(%#x)", format, format);
- }
- }
-
- //
- //http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cifs/protocol/tree_connect_andx.asp
- //
- Table SMBTreeConnectAndXServiceTable(service)
- {
- switch
- {
- case service.contains("A"): FormatString("%s - Disk share for PC NETWORK PROGRAM 1.0 or later", service);
- case service.contains("LPT1"): FormatString("%s - Printer for PC NETWORK PROGRAM 1.0 or later", service);
- case service.contains("IPC"): FormatString("%s - Named pipe for MICROSOFT NETWORKS 3.0 or later", service);
- case service.contains("COMM"): FormatString("%s - Communications device for MICROSOFT NETWORKS 3.0 or later", service);
- case service.contains("?????"): FormatString("%s - Any device type for MICROSOFT NETWORKS 3.0 or later", service);
- default: FormatString("%s", service);
- }
- }
-
- Table SMBOpenFunctionTable(value)
- {
- switch(value)
- {
- case 0: "Fail if the target file exists (SMB_OFUN_OPEN_FAIL)";
- case 1: "Open or Append file if it exists (SMB_OFUN_OPEN_OPEN)";
- case 2: "Truncate file if it exists (SMB_OFUN_OPEN_TRUNCATE)";
- default: FormatString("Invalid Open Function %d", value);
- }
- }
-
- Struct SMBAccessMask
- {
- SMBAccessMaskAccessMask AccessMask;
- }
-
- //SMB_COM_NT_CREATE_ANDX Client Request Extension
- [DataTypeByteOrder = LittleEndian]
- Struct SMBAccessMaskAccessMask
- {
- UINT32 ReadData:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "FILE_READ_DATA (file & named pipe), FILE_LIST_DIRECTORY (directory)");
- UINT32 WriteData:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "FILE_WRITE_DATA (file & named pipe), FILE_ADD_FILE (directory");
- UINT32 AppendData:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "FILE_APPEND_DATA (file), FILE_ADD_SUBDIRECTORY (directory), FILE_CREATE_PIPE_INSTANCE (named pipe)");
- UINT32 ReadEA:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "FILE_READ_EA (file & directory)");
- UINT32 WriteEA:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "FILE_WRITE_EA (file & directory)");
- UINT32 Execute:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "FILE_EXECUTE (file), FILE_TRAVERSE (directory)");
- UINT32 Reserved_bits:1 = FormatString(" (%s) Reserved" , this.ToBitString);
- UINT32 ReadAttributes:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "FILE_READ_ATTRIBUTES (all)");
-
- UINT32 WriteAttributes:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "FILE_WRITE_ATTRIBUTES (all)");
- UINT32 Reserved_bits9_15:7 = FormatString(" (%s) Reserved" , this.ToBitString);
-
- UINT32 Delete:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "DELETE (the right to delete the object)");
- UINT32 ReadControl:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "READ_CONTROL (read the object's security descriptor NOT including SACL)");
- UINT32 WriteDAC:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "WRITE_DAC (modify the DACL in the object's security descriptor)");
- UINT32 WriteOwner:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "WRITE_OWNER (change the owner in the object's security descriptor)");
- UINT32 Synchronize:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "SYNCHRONIZE (use the object for synchronization)");
- UINT32 Reserved_bits21_23:3 = FormatString(" (%s) Reserved" , this.ToBitString);
-
- UINT32 AccessSystemSecurity:1 = FormatString("(%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "ACCESS_SYSTEM_SECURITY (get or set the SACL in an object's security descriptor)");
- UINT32 MaximumAllowed:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "MAXIMUM_ALLOWED (all access rights valid for the caller)");
- UINT32 Reserved_bits26_27:2 = FormatString(" (%s) Reserved" , this.ToBitString);
- UINT32 GenericAll:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "GENERIC_ALL");
- UINT32 GenericExecute:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "GENERIC_EXECUTE");
- UINT32 GenericWrite:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "GENERIC_WRITE");
- UINT32 GenericRead:1 = FormatString(" (%s) %s %s" , this.ToBitString, this ? "Set" : "NOT Set", "GENERIC_READ");
- }
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBOpenFunction = FormatString("0x%04X", UINT16(FrameData, FrameOffset))
- {
- UINT16 Open:2 = FormatString(" (%s) %s", this.ToBitString, SMBOpenFunctionTable(this));
- UINT16 Rsvd_bits2_3:2 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT16 Create:1 = FormatString(" (%s) %s (SMB_OFUN_CREATE)", this.ToBitString, this ? "If the file does NOT exist, create a file" : "If the file does NOT exist, return Fail");
- UINT16 Unused_bits5_15:11 = FormatString("(%s) Unused", this.ToBitString);
- };
-
- Table SMBActionTable(value)
- {
- switch(value)
- {
- case 1: "The file existed and was opened (SMB_OACT_OPENED)";
- case 2: "The file did NOT exist but was created (SMB_OACT_CREATED)";
- case 3: "The file existed and was truncated (SMB_OACT_TRUNCATED)";
- default: FormatString("Unknown Action: %d",value);
- }
- }
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBOpenAction = FormatString("0x%04X", UINT16(FrameData, FrameOffset))
- {
- UINT16 Open:2 = FormatString("(%s) %s", this.ToBitString, SMBActionTable(this));
- UINT16 Rsvd:13 = FormatString("(%s) Unused", this.ToBitString);
- UINT16 Lock:1 = FormatString("(%s) %s (SMB_OACT_OPLOCK)", this.ToBitString, this ? "File opened by this user only" : "File opened by another client or batch oplocks NOT supported");
- };
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBAccessMode = FormatString("0x%04X", UINT16(FrameData, FrameOffset))
- {
- UINT16 AccessMode:3 = FormatString(" (%s) %s", this.ToBitString, SMBFileAccessModeTable(this));
- UINT16 Reserved_bit3:1 = FormatString(" (%s) Unused", this.ToBitString);
- UINT16 SharingMode:3 = FormatString(" (%s) %s", this.ToBitString, SMBFileSharingModeTable(this));
- UINT16 Reserved_bit7:1 = FormatString(" (%s) Unused", this.ToBitString);
- UINT16 LocalityOfReference:3 = FormatString("(%s) %s", this.ToBitString, SMBFileLocalityOfReferenceTable(this));
- UINT16 Reserved_bit11:1 = FormatString(" (%s) Unused", this.ToBitString);
- UINT16 CacheMode:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Do NOT cache this file (SMB_DO_NOT_CACHE)" : "Normal file (SMB_CACHE_NORMAL)");
- UINT16 Reserved_bit13:1 = FormatString(" (%s) Unused", this.ToBitString);
- UINT16 WriteThroughMode:1 = FormatString(" (%s) %s (SMB_DA_WRITE_THROUGH)", this.ToBitString, this ? "Read ahead or write behind allowed" : "Read ahead or write behind NOT allowed");
- UINT16 Reserved_bit15:1 = FormatString(" (%s) Unused", this.ToBitString);
- }
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBFileBYTEAttributes = FormatString("0x%02X", UINT8( Framedata, Offset ))
- {
- UINT8 Readonly:1 = FormatString(" (%s) %s (FILE_ATTRIBUTE_READONLY)", this.ToBitString, this ? "Read Only" : "NOT Read only");
- UINT8 Hidden:1 = FormatString(" (%s) %s (FILE_ATTRIBUTE_HIDDEN)", this.ToBitString, this ? "Hidden" : "NOT Hidden");
- UINT8 System:1 = FormatString(" (%s) %s (FILE_ATTRIBUTE_SYSTEM)", this.ToBitString, this ? "System" : "NOT System");
- UINT8 Volume:1 = FormatString(" (%s) %s (_A_VOLID [Must Be Zero])", this.ToBitString, this ? "[INVALID] MS-DOS volume label" : "[DEPRECATED] NOT an MS-DOS volume label");
- UINT8 Directory:1 = FormatString("(%s) %s (FILE_ATTRIBUTE_DIRECTORY)", this.ToBitString, this ? "Directory" : "NOT a Directory");
- UINT8 Archive:1 = FormatString(" (%s) %s (FILE_ATTRIBUTE_ARCHIVE)", this.ToBitString, this ? "Archive" : "NOT Archive");
- UINT8 Reverved:2 = FormatString(" (%s) Reserved", this.ToBitString);
- }
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBFileAttributes = FormatString("0x%04X", UINT16(FrameData, FrameOffset))
- {
- UINT16 Readonly:1 = FormatString(" (%s) %s (FILE_ATTRIBUTE_READONLY)", this.ToBitString, this ? "Read Only" : "NOT Read only");
- UINT16 Hidden:1 = FormatString(" (%s) %s (FILE_ATTRIBUTE_HIDDEN)", this.ToBitString, this ? "Hidden" : "NOT Hidden");
- UINT16 System:1 = FormatString(" (%s) %s (FILE_ATTRIBUTE_SYSTEM)", this.ToBitString, this ? "System" : "NOT System");
- UINT16 Volume:1 = FormatString(" (%s) %s (_A_VOLID [Must Be Zero])", this.ToBitString, this ? "[INVALID] MS-DOS volume label" : "[DEPRECATED] NOT an MS-DOS volume label");
- UINT16 Directory:1 = FormatString(" (%s) %s (FILE_ATTRIBUTE_DIRECTORY)", this.ToBitString, this ? "Directory" : "NOT a Directory");
- UINT16 Archive:1 = FormatString(" (%s) %s (FILE_ATTRIBUTE_ARCHIVE)", this.ToBitString, this ? "Archive" : "NOT Archive");
- UINT16 Reverved1:2 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT16 SearchReadonlyFile:1 = FormatString(" (%s) %s (SEARCH_ATTRIBUTE_READONLY)", this.ToBitString, this ? "Search for Read-only files" : "NOT Search for Read-only files");
- UINT16 SearchHiddenFile:1 = FormatString(" (%s) %s (SEARCH_ATTRIBUTE_HIDDEN)", this.ToBitString, this ? "Search for Hidden files" : "NOT Search for Hidden files");
- UINT16 SearchSystemFile:1 = FormatString(" (%s) %s (SEARCH_ATTRIBUTE_SYSTEM)", this.ToBitString, this ? "Search for System files" : "NOT Search for System files");
- UINT16 Reverved2:1 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT16 SearchDirectoryFile:1 = FormatString("(%s) %s (SEARCH_ATTRIBUTE_DIRECTORY)", this.ToBitString, this ? "Search for Directory files" : "NOT Search for Directory files");
- UINT16 SearchArchiveFile:1 = FormatString(" (%s) %s (SEARCH_ATTRIBUTE_ARCHIVE)", this.ToBitString, this ? "Search for files that have changed since they were last archived" : "NOT Search for files that have changed since they were last archived");
- UINT16 Reverved3:2 = FormatString(" (%s) Reserved", this.ToBitString);
- }
-
- //
- //http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cifs/protocol/cifs_file_attribute_encoding.asp
- //
- [DataTypeByteOrder = LittleEndian]
- struct SMBNTFileAttributes = FormatString("0x%04X", UINT32(FrameData, FrameOffset))
- {
- UINT32 ReadOnly:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Read-only file or directory" : "NOT a read-only file or directory"),"FILE_ATTRIBUTE_READONLY");
- UINT32 Hidden:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Hidden file or directory" : "NOT a hidden file or directory"),"FILE_ATTRIBUTE_HIDDEN");
- UINT32 System:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "System file or directory" : "NOT a system file or directory"),"FILE_ATTRIBUTE_SYSTEM");
- UINT32 AVolid:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "[INVALID] MS-DOS volume label" : "[DEPRECATED] NOT an MS-DOS volume label"),"_A_VOLID)(Must Be Zero");
- UINT32 Directory:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Is a directory" : "Is NOT a Directory"),"FILE_ATTRIBUTE_DIRECTORY");
- UINT32 Archive:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Archived file or directory" : "NOT an archived file or directory"),"FILE_ATTRIBUTE_ARCHIVE");
- UINT32 Device:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "[INVALID] device" : "NOT a device"),"FILE_ATTRIBUTE_DEVICE)(Must Be Zero");
- UINT32 Normal:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Must be the only set attribute" : "At least one other attribute normally set"),"FILE_ATTRIBUTE_NORMAL");
-
- UINT32 Temporary:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Temporary file" : "NOT a temporary file"),"FILE_ATTRIBUTE_TEMPORARY");
- UINT32 SparseFile:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Sparse file" : "NOT a sparse file"),"FILE_ATTRIBUTE_SPARSE_FILE");
- UINT32 ReparsePoint:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Reparse point" : "NOT a reparse point"),"FILE_ATTRIBUTE_REPARSE_POINT");
- UINT32 Compressed:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Compressed file or directory" : "NOT a compressed file or directory"),"FILE_ATTRIBUTE_COMPRESSED");
- UINT32 Offline:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Offline file" : "NOT an Offline file"),"FILE_ATTRIBUTE_OFFLINE");
- UINT32 NotContentIndexed:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "NOT content indexed" : "Content indexed"),"FILE_ATTRIBUTE_NOT_CONTENT_INDEXED");
- UINT32 Encrypted:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Encrypted file" : "NOT an Encrypted file"),"FILE_ATTRIBUTE_ENCRYPTED");
- UINT32 Reserved_bit15:1 = FormatString(" (%s) Reserved (Must Be Zero)" , this.ToBitString);
-
- UINT32 Virtual:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Virtual file (Windows Vista and beyond)" : "NOT a virtual file (Windows Vista and beyond)"),"FILE_ATTRIBUTE_VIRTUAL");
- UINT32 Reserved_bits17_18:2 = FormatString("(%s) Reserved (Must Be Zero)" , this.ToBitString);
- UINT32 FirstPipeInstance:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Allow a single pipe instance (Windows 2000 SP2 and beyond)" : "Allow multiple instances of this pipe (Windows 2000 SP2 and beyond)"),"FILE_FLAG_FIRST_PIPE_INSTANCE");
- UINT32 OpenNoRecall:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Do NOT transport file data to local storage" : "Transport file data to local storage"),"FILE_FLAG_OPEN_NO_RECALL");
- UINT32 OpenReparsePoint:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Inhibit NTFS reparse behavior" : "Allow NTFS reparse behavior"),"FILE_FLAG_OPEN_REPARSE_POINT");
- UINT32 Reserved_bits22_23:2 = FormatString("(%s) Reserved (Must Be Zero)" , this.ToBitString);
-
- UINT32 PosixSemantics:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "File is to be accessed according to POSIX rules" : "File is NOT to be accessed according to POSIX rules"),"FILE_FLAG_POSIX_SEMANTICS");
- UINT32 BackupSemantics:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Open or create for a backup or restore operation" : "Don't open or create for backup or restore operation"),"FILE_FLAG_BACKUP_SEMANTICS");
- UINT32 DeleteNoClose:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Server deletes file after all handles are closed" : "Server does NOT delete file after all handles are closed"),"FILE_FLAG_DELETE_ON_CLOSE");
- UINT32 SequentialScan:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Hint to optimize server cache for sequential access" : "No hint for server to optimize cache for sequential access"),"FILE_FLAG_SEQUENTIAL_SCAN");
- UINT32 RandomAccess:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Hint to optimize server cache for random access" : "No hint for server to optimize cache for random access"),"FILE_FLAG_RANDOM_ACCESS");
- UINT32 NoBuffering:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Disallow intermediate buffering or caching" : "Allow intermediate buffering or caching"),"FILE_FLAG_NO_BUFFERING");
- UINT32 Overlapped:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Use OVERLAPPED I/O" : "NOT Using OVERLAPPED I/O"),"FILE_FLAG_OVERLAPPED");
- UINT32 WriteThrough:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Disallow lazy write caching" : "Allow lazy write caching"),"FILE_FLAG_WRITE_THROUGH");
- }
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBNTCreateFlags = FormatString("0x%08X", UINT32(FrameData, FrameOffset))
- {
- UINT32 Reserved_bit0:1 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT32 RequestOplock:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Request a dynamic lock" : "Does NOT request a dynamic lock");
- UINT32 BatchLock:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Request a batch dynamic lock" : "Does NOT request a batch dynamic lock");
- UINT32 Target:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Parent directory of the target is opened" : "Parent directory of the target is not opened");
- UINT32 ExtendedResponse:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Request extented response" : "Does NOT request extended response");
- UINT32 Reserved_bits5_31:27 = FormatString("(%s) Reserved", this.ToBitString);
- }
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBNTCreateShareAccess = UINT32(FrameData, FrameOffset)? FormatString("0x%08X", UINT32(FrameData, FrameOffset)):"FILE_NO_SHARE-Prevents the file from being shared."
- {
- UINT32 Read:1 = FormatString(" (%s) Read %sAllowed", this.ToBitString, this ? "" : "NOT ");
- UINT32 Write:1 = FormatString(" (%s) Write %sAllowed", this.ToBitString, this ? "" : "NOT ");
- UINT32 Delete:1 = FormatString("(%s) Delete %sAllowed", this.ToBitString, this ? "" : "NOT ");
- UINT32 Rsvd:29 = FormatString(" (%s) Reserved(Must be zero)", this.ToBitString);
- }
-
- Table SMBNTCreateOptionsTable(Options)
- {
- switch(Options)
- {
- case 0x00000041: FormatString("Open as COM/DCOM structured storage (0x%08X)", Options);
- case 0x00000441: FormatString("COM structured storage (0x%08X)", Options);
- default: FormatString("0x%08X", Options);
- }
- }
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBNTCreateOptions = SMBNTCreateOptionsTable(UINT32(FrameData, FrameOffset))
- {
- UINT32 DirectoryFile:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "The file being created or opened is a directory file" : "NOT a directory file") , "FILE_DIRECTORY_FILE");
- UINT32 WriteThrough:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Data must be written to the file before operation is complete" : "NOT write through") , "FILE_WRITE_THROUGH");
- UINT32 SequentialOnly:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "File access is sequential only" : "File access can be Random") , "FILE_SEQUENTIAL_ONLY");
- UINT32 NoIntermediateBuffering:1 = FormatString("(%s) %s (%s)" , this.ToBitString , (this ? "Intermediate Buffering NOT allowed" : "Intermediate Buffering allowed") , "FILE_NO_INTERMEDIATE_BUFFERING");
- UINT32 SynchronousIoAlert:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Any wait on behalf of the caller is subject to premature termination from alerts" : "Synchronous Io Alert NOT set") , "FILE_SYNCHRONOUS_IO_ALERT");
- UINT32 SynchronousIoNonAlert:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Waits in the system to synchronize I/O queuing and completion are NOT subject to alerts" : "Synchronous Io NonAlert NOT set") , "FILE_SYNCHRONOUS_IO_NONALERT");
- UINT32 NonDirectoryFile:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "The file being opened must NOT be a directory file" : "The file being opened may be a directory file") , "FILE_NON_DIRECTORY_FILE");
- UINT32 CreateTreeConnecton:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Create a tree connection for this file" : "Create Tree Connection NOT set") , "FILE_CREATE_TREE_CONNECTION");
-
- UINT32 CompleteOplocked:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Complete this operation if the target file is oplocked" : "Complete If Oplocked is NOT set") , "FILE_COMPLETE_IF_OPLOCKED");
- UINT32 NoEA:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Client does NOT understand EA's" : "No EA knowledge bit is NOT set") , "FILE_NO_EA_KNOWLEDGE");
- UINT32 OpenForRecovery:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Windows Vista Client-side caching (CSC) specify a network open and bypass the cache" : "Open Remote Instance is NOT set") , "FILE_OPEN_FOR_RECOVERY");
- UINT32 RandomAccess:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Accesses to the file can be random" : "Random Access bit is NOT set") , "FILE_RANDOM_ACCESS");
- UINT32 DeleteOnClose:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Delete the file when the last handle to it is closed" : "Delete On Close bit is NOT set") , "FILE_DELETE_ON_CLOSE");
- UINT32 OpenBy:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Open By File ID" : "Open By FileName") , "FILE_OPEN_BY_FILE_ID");
- UINT32 OpenForBackup:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Open For Backup" : "Do NOT Open For Backup") , "FILE_OPEN_FOR_BACKUP_INTENT");
- UINT32 CannotBeCompressed:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "The file cannot be compressed" : "The file may be compressed") , "FILE_NO_COMPRESSION");
-
- UINT32 Reserved_bits16_19:4 = FormatString(" (%s) Reserved" , this.ToBitString);
- UINT32 ReserveOpfilter:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Break the oplock to none" : "Reserve Opfilter is NOT set") , "FILE_RESERVE_OPFILTER");
- UINT32 OpenReparsePoint:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "The caller wants a handle to the reparse point itself" : "Open Reparse Point is NOT set") , "FILE_OPEN_REPARSE_POINT");
- UINT32 OpenNoRecall:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Read without recalling" : "Open No Recall is NOT set") , "FILE_OPEN_NO_RECALL");
- UINT32 OpenForFreeSpaceQuery:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Querying volume free space" : "NOT Querying volume free space") , "FILE_OPEN_FOR_FREE_SPACE_QUERY");
-
- UINT32 Reserved_bits24_31:8 = FormatString(" (%s) Reserved" , this.ToBitString);
- }
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBWriteMode = FormatString("0x%04X", UINT16(FrameData, FrameOffset))
- {
- UINT16 Cache:1 = FormatString(" (%s) %s write caching", this.ToBitString, this ? "Write through mode - no" : "Allow" );
- UINT16 Remaining:1 = FormatString("(%s) %s bytes remaining", this.ToBitString, this ? "Return" : "Do NOT return" );
- UINT16 RawName:1 = FormatString(" (%s) %s raw named pipe protocol", this.ToBitString, this ? "Use" : "Do NOT use" );
- UINT16 Start:1 = FormatString(" (%s) %s of message mode named pipe message", this.ToBitString, this ? "Start" : "NOT start" );
- UINT16 Reserved:12 = FormatString(" (%s) Reserved", this.ToBitString );
- }
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBDeviceState = FormatString("0x%04X", UINT16(FrameData, FrameOffset))
- {
- UINT16 InstanceCount:8 = FormatString("(%s) %d (0x%X)", this.ToBitString, this, this );
- UINT16 ReadMode:2 = FormatString(" (%s) %s", this.ToBitString, SMBDeviceStateReadModeTable(this) );
- UINT16 PipeType:2 = FormatString(" (%s) %s", this.ToBitString, SMBDeviceStatePipeTypeTable(this) );
- UINT16 Unused:2 = FormatString(" (%s)", this.ToBitString );
- UINT16 Endpoint:1 = FormatString(" (%s) %s end of pipe", this.ToBitString, this ? "Server" : "Client" );
- UINT16 NonBlocking:1 = FormatString(" (%s) Reads/Writes %s", this.ToBitString, this ? "returns all data available" : "blocks until its data is consumed or canceled" );
- }
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBSecurityFlags
- {
- UINT8 Dynamic:1 = FormatString(" (%s) %s security tracking mode.", this.ToBitString, this ? "Dynamic" : "Static");
- UINT8 Effective:1 = FormatString("(%s) %s aspects of the client's security context are available to the server", this.ToBitString, this ? "Only the enabled" : "All");
- UINT8 Reserved:6 = FormatString(" (%s)", this.ToBitString);
- }
-
- Table SMBPrintFileMode(mode)
- {
- switch(mode)
- {
- case 0: "Text mode (DOS expands TABs)";
- case 1: "Graphics mode";
- default: "Unhandled Mode";
- }
- }
-
- Table SMBPrintJobStatusTable(status)
- {
- switch(status)
- {
- case 1: FormatString("Held or stopped, %d (0x%02X)", status, status);
- case 2: FormatString("Printing, %d (0x%02X)", status, status);
- case 3: FormatString("Awaiting print, %d (0x%02X)", status, status);
- case 4: FormatString("In intercept, %d (0x%02X)", status, status);
- case 5: FormatString("File had error, %d (0x%02X)", status, status);
- case 6: FormatString("Printer error, %d (0x%02X)", status, status);
- default: FormatString("Reserved, %d (0x%02X)", status, status);
- }
- }
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBCapability = FormatString("0x%08X", UINT32(FrameData, FrameOffset))
- {
- UINT32 RawMode:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports SMB_COM_READ_RAW and SMB_COM_WRITE_RAW" : "No Support for SMB_COM_READ_RAW and SMB_COM_WRITE_RAW") , "CAP_RAW_MODE");
- UINT32 MpxMode:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports SMB_COM_READ_MPX and SMB_COM_WRITE_MPX" : "No Support for SMB_COM_READ_MPX or SMB_COM_WRITE_MPX") , "CAP_MPX_MODE");
- UINT32 Unicode:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports Unicode Strings" : "No Support for Unicode Strings") , "CAP_UNICODE");
- UINT32 LargeFiles:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports large files with 64-bit offsets" : "No Support for large files with 64-bit offsets") , "CAP_LARGE_FILES");
- UINT32 NTSMBs:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports SMB NTLM 0.12 dialect commands (implies CAP_NT_FIND)" : "No Support for SMB NTLM 0.12 dialect commands") , "CAP_NT_SMBS");
- UINT32 RPCRemoteAPIs:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports remote API requests using RPC over named pipe connections" : "No Support for remote API requests using RPC over named pipe connections") , "CAP_RPC_REMOTE_APIS");
- UINT32 NTStatus:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Can respond with 32-bit NT status codes in Status" : "Cannot respond with 32-bit NT status codes in Status") , "CAP_NT_STATUS");
- UINT32 LevelIIOplocks:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports Level II oplocks" : "No Support for Level II oplocks") , "CAP_LEVEL_II_OPLOCKS");
-
- UINT32 LockAndRead:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports SMB_COM_LOCK_AND_READ and SMB_COM_WRITE_AND_UNLOCK" : "No Support for SMB_COM_LOCK_AND_READ and SMB_COM_WRITE_AND_UNLOCK") , "CAP_LOCK_AND_READ");
- UINT32 NtFind:1 = FormatString(" (%s) %s (%s)", this.ToBitString, (this ? "Supports Windows NT information level requests (SMB_QUERY_?, SMB_SET_?)" : "No support for Windows NT information level requests"), "CAP_NT_FIND");
- UINT32 Reserved_bits10_11:2 = FormatString("(%s) Reserved", this.ToBitString);
- UINT32 Dfs:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "This server is Distributed File System (Dfs) aware (via TRANS2_GET_DFS_REFERRAL)" : "This server is NOT Distributed File System (Dfs) aware") , "CAP_DFS");
- UINT32 InfolevelPassthru:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports Windows NT information level pass-through requests [SMB_INFO_PASSTHROUGH]" : "No Support for Windows NT information level pass-through requests [SMB_INFO_PASSTHROUGH]") , "CAP_INFOLEVEL_PASSTHRU");
- UINT32 LargeReadx:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports large read operations" : "No Support for large read operations") , "CAP_LARGE_READX");
- UINT32 LargeWritex:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports large write operations" : "No Support for large write operations") , "CAP_LARGE_WRITEX");
-
- UINT32 Lwio:1 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT32 Txf:1 = FormatString(" (%s) %s (%s)", this.ToBitString, (this ? "Transacted filesystem aware" : "NOT transacted filesystem aware"), "CAP_TXF");
- UINT32 ClientSideEncrypt:1 = FormatString(" (%s) %s (%s)", this.ToBitString, (this ? "Can do client side encryption" : "Can NOT do client side encryption"), "CAP_CLIENT_SIDE_ENCRYPTION");
- UINT32 Reserved_bit19:1 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT32 Reserved1:1 = FormatString(" (%s) %s (%s)", this.ToBitString, "Reserved for third party SMB server", "CAP_RESERVED1");
- UINT32 Reserved2:1 = FormatString(" (%s) %s (%s)", this.ToBitString, "Reserved for third party SMB server", "CAP_RESERVED2");
- UINT32 Reserved3:1 = FormatString(" (%s) %s (%s)", this.ToBitString, "Reserved for third party SMB server", "CAP_RESERVED3");
- UINT32 Unix:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports UNIX CIFS Extensions" : "No Support for UNIX CIFS Extensions") , "CAP_UNIX");
-
- UINT32 Reserved_bits24:1 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT32 CompressedData:1 = FormatString(" (%s) %s (%s)", this.ToBitString, (this ? "Supports compressed data transfer" : "No support for compressed data transfer"), "CAP_COMPRESSED_DATA [NOT implemented]");
- UINT32 Reserved_bits26_28:3 = FormatString("(%s) Reserved", this.ToBitString);
- UINT32 DynamicReauth:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports dynamic reauthorization" : "No Support for dynamic reauthorization") , "CAP_DYNAMIC_REAUTH");
- UINT32 PersistentHandles:1 = FormatString(" (%s) %s (%s)", this.ToBitString, (this ? "Supports persistent handles" : "No Support for persistent handles"), "CAP_PERSISTENT_HANDLES");
- UINT32 ExtendedSecurity:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports extended security exchange" : "No Support for extended security exchange") , "CAP_EXTENDED_SECURITY");
- }
-
- // Usage:
- //
- // Encoding
- // 0 - Ascii Encoded
- // 1 - Unicode Encoded
- // IsLengthValid
- // TRUE - Parameter "Length" is valid
- // FALSE - Ignore Parameter "Length"
- // Length
- // If IsLengthValid == TRUE, indicate the length of the string in bytes
- // AlignOffset
- // If the string is Unicode encoded, indicates the base alignment offset
- //
- struct SMBFileNameString(Encoding, IsLengthValid, Length, AlignOffset) = SMBFileNameValue
- {
- switch(Encoding)
- {
- case 0:
- switch
- {
- case IsLengthValid:
- [SMBFileNameValue]
- AsciiString(Length) Name;
- default:
- _struct NullTerminatedName
- {
- [SMBFileNameValue]
- AsciiString Name;
- }
- }
- case 1:
- _struct UnicodeName
- {
- ALIGN(AlignOffset, 2) Align;
- switch
- {
- case IsLengthValid:
- [SMBFileNameValue]
- UnicodeString(Length/2) Name;
- default:
- _struct NullTerminatedName
- {
- [SMBFileNameValue]
- UnicodeString Name;
- }
- }
- }
- }
- }
-
- //
- // Command/Response structures
- //
-
- struct SmbComOpenAndxClientRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x0F");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 ANDXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- [DataFieldByteOrder = LittleEndian]
- UINT16 Flags
- {
- UINT16 QueryInformation:1 = FormatString(" (%s) %s (SMB_OPEN_QUERY_INFORMATION)", this.ToBitString, this ? "Return additional info(FileAttributes, DataSize, GrantedAccess, FileType, and DeviceState)" : "FileAttributes, DataSize, GrantedAccess, FileType, and DeviceState have indeterminate values and client ignores them");
- UINT16 Oplock:1 = FormatString(" (%s) %s (SMB_OPEN_OPLOCK)", this.ToBitString, this ? "Exclusive oplock requested" : "Exclusive oplock NOT requested");
- UINT16 Opbatch:1 = FormatString(" (%s) %s (SMB_OPEN_OPBATCH)", this.ToBitString, this ? "Batch oplock requested" : "Batch oplock NOT requested");
- UINT16 Reserved_bit3:1 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT16 ExtendedResponse:1 = FormatString(" (%s) %s (SMB_OPEN_EXTENDED_RESPONSE)", this.ToBitString, this ? "RESP_EXTENDED_OPEN_ANDX reply" : "RESP_OPEN_ANDX reply");
- UINT16 Reserved_bits5_15:11 = FormatString("(%s) Reserved", this.ToBitString);
- };
- SMBAccessMode AccessMode;
- SMBFileAttributes SearchAttributes;
- SMBFileAttributes FileAttributes;
- //# ? TD review: FileAttributes may be 2-byte
- //SMBNTFileAttributes FileAttributes;
- SMBTIME CreationTime;
- SMBDATE CreationDate;
- SMBOpenFunction OpenMode;
- UINT32 AllocationSize;
- UINT32 TimeOut = FormatString("%d milli sec(s)",this);
- UINT32 Reserved = MUSTBeSetToTable( this, "0x00000000");
- [Post.SMBBytesEndOffset = Frameoffset + 2 + ByteCount]
- UINT16 ByteCount;
- //#? seems sometimes there is no BufferFormat, direct followed by FileName
- //UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- While [!UINT8( Framedata, Offset )]
- {
- UINT8 Pad;
- }
- switch(Property.SMBUnicode)
- {
- case 0:
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- AsciiString AsciiFileName;
- case 1:
- _struct FileName
- {
- ALIGN2 Align;
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- UnicodeString UnicodeFileName;
- }
- }
- switch
- {
- case FrameOffset < SMBBytesEndOffset:
- BLOB (SMBBytesEndOffset - FrameOffset) Padding;
- }
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SmbComOpenAndxServerResponse
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x0F");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 ANDXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- conversation.SMBFileNamePerFrame$[FrameNumber] = conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Property.SMBFileName = conversation.SMBFileNamePerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCount$[SMBFileID] = conversation.SMBFileIDCount$[SMBFileID] + 1,
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- SMBFileAttributes FileAttributes;
- //# ? TD review: FileAttributes may be 2-byte
- //SMBNTFileAttributes FileAttributes;
- SMBTIME LastWriteTime;
- SMBDATE LastWriteDate;
- UINT32 FileDataSize;
- SMBAccessMode AccessRights;
- UINT16 ResourceType = SMBFileTypeTable(this);
- switch (ResourceType)
- {
- case 1:
- case 2:
- SMBDeviceState NMPipeStatus;
- default:
- UINT16 ReservedDS;
- }
- SMBOpenAction OpenResults;
- [SMBComPramSummary = SMBComPramSummary + ", ServerFID = " + this]
- UINT32 ServerFID;
- UINT16 Reserved = MUSTBeSetToTable( this, "0x0000");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SmbComOpenAndxServerResponseExtension
- {
- UINT8 WordCount;
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 ANDXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- conversation.SMBFileNamePerFrame$[FrameNumber] = conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Property.SMBFileName = conversation.SMBFileNamePerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCount$[SMBFileID] = conversation.SMBFileIDCount$[SMBFileID] + 1,
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- SMBFileAttributes FileAttributes;
- //# ? TD review: FileAttributes may be 2-byte
- //SMBNTFileAttributes FileAttributes;
- SMBTIME LastWriteTime;
- SMBDATE LastWriteDate;
- UINT32 DataSize;
- SMBAccessMode GrantedAccess;
- UINT16 ResourceType = SMBFileTypeTable(this);
- switch (ResourceType)
- {
- case 1:
- case 2:
- SMBDeviceState NMPipeStatus;
- default:
- UINT16 ReservedDS;
- }
- SMBOpenAction OpenResults;
- [SMBComPramSummary = SMBComPramSummary + ", ServerFID = " + this]
- UINT32 ServerFID;
- UINT16 Reserved;
- _struct ExtendedResponse
- {
- SMBAccessMask MaxAccessRights;
- SMBAccessMask GuestMaxAccessRights;
- };
- UINT16 ByteCount;
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SMBComUnlockByteRangeRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x05");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT32 Count;
- UINT32 Offset;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComUnlockByteRangeResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- Table SMBMailSlotOpcodeTable(code)
- {
- switch(code)
- {
- case 1: "Write Mail Slot";
- default: FormatString("%d (0x%X)", code, code);
- }
- }
-
- Table SMBMailSlotClassTable(class)
- {
- switch(class)
- {
- case 1: "Reliable";
- case 2: "Unreliable & Broadcast";
- default: FormatString("%d (0x%02X)", class, class);
- }
- }
-
- Table SMBTransNamePipeFunctionTable(func)
- {
- //0x01 TRANS_SetNamedPipeHandleState
- //0x11 TRANS_RawReadNamedPipe
- //0x21 TRANS_GetNamedPipeHandleState
- //0x22 TRANS_GetNamedPipeInfo
- //0x23 TRANS_PeekNamedPipe
- //0x26 TRANS_TransactNamedPipe
- //0x31 TRANS_RawWriteNamedPipe
- //0x53 TRANS_WaitNamedPipe
- //0x54 TRANS_CallNamedPipe
- switch(func)
- {
- case 0x01: "Set named pipe handle state";
- case 0x11: "Raw read named pipe";
- case 0x21: "Get named pipe handle state";
- case 0x22: "Get named pipe information";
- case 0x23: "Peek named pipe";
- case 0x26: "Transact named pipe";
- case 0x31: "Raw write named pipe";
- case 0x36: "Pipe Read";
- case 0x37: "Pipe Write";
- case 0x53: "Wait named pipe";
- case 0x54: "Call named pipe";
- default: "Named pipe request";
- }
- }
-
- Table SMBUnixFileType(type)
- {
- switch(type)
- {
- case 0x00000000: "File";
- case 0x00000001: "Directory";
- case 0x00000002: "Symbolic link";
- case 0x00000003: "Character device";
- case 0x00000004: "Block device";
- case 0x00000005: "FIFO";
- default: "Unknown file type";
- }
- }
-
- Table SMBTransactSetupCountTable(setupCount)
- {
- switch(setupCount)
- {
- case 0: "Remote Administration Protocol";
- case 1: "Named Pipe";
- case 2: "Named Pipe";
- case 3: "Mail Slots";
- }
- }
-
- Table SMBPipeStateReadModeTable(mode)
- {
- switch(mode)
- {
- case 0: "Read pipe as a byte stream";
- case 1: "Read messages from pipe";
- default: FormatString("%d", mode);
- }
- }
-
- struct SMBComTransactionRequest
- {
- UINT8 WordCount;
- UINT16 TotalParameterCount;
- UINT16 TotalDataCount;
- UINT16 MaxParameterCount;
- UINT16 MaxDataCount;
- UINT8 MaxSetupCount;
- UINT8 Reserved;
- [DataFieldByteOrder = LittleEndian]
- UINT16 Flags = Disconnect ? "Disconnect TID" : "Do NOT disconnect TID"
- {
- UINT16 Disconnect:1 = FormatString("(%s) %s", This.ToBitString, this ? "Disconnect TID" : "Do NOT disconnect TID");
- UINT16 NoResponse:1 = FormatString("(%s) %s",this.toBitString,this?"One-way transaction without server's response":"Server response to the client");
- UINT16 Reserved:14 = FormatString(" (%s) Reserved",this.toBitString);
- };
- UINT32 Timeout = FormatString("%d milli sec(s)",this);
- UINT16 Reserved2;
- UINT16 ParameterCount;
- UINT16 ParameterOffset;
- UINT16 DataCount;
- UINT16 DataOffset;
- [
- TransactRequestSetupCount,
- conversation.SMBTransactSetupCount$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBComSummary = SMBComSummary + FormatString(", %s", SMBTransactSetupCountTable(this))
- ]
- UINT8 SetupCount;
- UINT8 Reserved3;
- //
- // These are Setup Words
- //
- switch(SetupCount)
- {
- case 1:
- case 2:
- struct NamedPipeSetupWords
- {
- [
- PipeFunction,
- Post.SMBComSummary = SMBComSummary + ", " + SMBTransNamePipeFunctionTable(this),
- Conversation.SMBTransactPipeFuncTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)]
- ]
- UINT16 Subcommand = FormatString("%s, %d(0x%04X)", SMBTransNamePipeFunctionTable(this), this, this);
- switch(SetupCount)
- {
- case 2:
- switch
- {
- case PipeFunction == 0x53:
- case PipeFunction == 0x54:
- case SMBComSummary.contains("Named pipe request"):
- UINT16 Priority;
- default:
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, conversation.SMBFileIDCountTable$[FrameNumber])],
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- }
- }
- }
- case 3:
- struct MailSlotsSetupWords
- {
- [Post.SMBComSummary = SMBComSummary + ", " + SMBMailSlotOpcodeTable(Subcommand)]
- UINT16 Subcommand = SMBMailSlotOpcodeTable(this);
- UINT16 Priority;
- UINT16 Class = SMBMailSlotClassTable(this);
- }
- default:
- switch
- {
- case SetupCount > 0:
- _struct ErrorSetupWords
- {
- ReportParserError(ParserErrorProtocolClassWindows, "SMB", FormatString("SMB: Unknown Transaction Request SetupWords, SetupCount = %d", SetupCount)) TransactionSetupWordsError;
- UINT16 SetupWords[SetupCount];
- }
- }
- }
- [
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : (SMBFileID ? MakeByteArray(SMBFileID, SMBFIDCount) : MakeByteArray(SMBTID, SMBPID, SMBMID) ) ),
- Post.Conversation.ConversationDescription
- = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID)
- : SMBFileID ? FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID)
- : FormatString("(TID:0x%04X, PID:0x%04X, MID:0x%04X) ConvID = %d", SMBTID, SMBPID, SMBMID, ConvID),
- Post.SMBBytesEndOffset = FrameOffset + 2 + ByteCount
- ]
- UINT16 ByteCount;
-
- switch(SetupCount)
- {
- // accroding to netmon2 source Smbtrans.c line 1010
- // Remote API - just list the pipe name
- case 0:
- struct RemoteAPIBuffer
- {
- [Post.SMBComPramSummary = ", FileName = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) FileName;
- switch
- {
- case ParameterOffset - CurrentProtocolOffset > 0:
- BLOB(ParameterOffset-CurrentProtocolOffset) Pad1;
- }
- switch
- {
- case ParameterCount > 0:
- RAP(ParameterCount, DataCount) RAPRequest;
- }
- switch
- {
- case DataOffset - CurrentProtocolOffset > 0:
- BLOB(DataOffset-CurrentProtocolOffset) Pad2;
- }
- //#? these Parameters should be parsed as a Protocol: Remote API
- switch
- {
- case DataCount > 0:
- BLOB(DataCount) Data;
- }
- };
- case 1:
- case 2:
- struct NamedPipeBuffer
- {
- [Post.SMBComPramSummary = SMBComPramSummary + ", PathName = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) PathName;
- switch
- {
- case ParameterOffset - CurrentProtocolOffset > 0:
- BLOB(ParameterOffset-CurrentProtocolOffset) Pad1;
- }
- switch(PipeFunction)
- {
- //TRANS_SetNamedPipeHandleState TRANS_SET_NMPIPE_STATE (0x0001)
- case 0x01:
- _struct SetNamedPipeHandleStateParameters
- {
- //#???
- //UINT16 UnknownData;
- [DataFieldByteOrder = LittleEndian]
- UINT16 PipeState
- {
- UINT16 Reserved_bits0_7:8 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT16 ReadMode:2 = FormatString(" (%s) %s", this.ToBitString, SMBPipeStateReadModeTable(this));
- UINT16 Reserved_bits10_14:5 = FormatString("(%s) Reserved", this.ToBitString);
- UINT16 NonBlocking:1 = FormatString(" (%s) Reads/Writes %s if data available", this.ToBitString, this ? "return immediately" : "block");
- };
- };
- //TRANS_GetNamedPipeInfo
- case 0x22:
- _struct GetNamedPipeInfoParameters
- {
- UINT16 InfoLevel = SMBNTRenameInformationLevel(this);
- };
- default:
- switch
- {
- case ParameterCount > 0:
- BLOB(ParameterCount) Parameters;
- }
- }
- switch
- {
- case DataOffset - CurrentProtocolOffset > 0:
- BLOB(DataOffset - CurrentProtocolOffset) Pad2;
- }
- switch
- {
- case UINT8( Framedata, Offset ) == 0x05 && // RPC Protocol Version = 5, Connection-oriented RPC
- ( UINT8( Framedata, Offset + 1 ) == 0 || UINT8( Framedata, Offset + 1 ) == 1 ) && // RPC minor version
- ( FrameLength - frameOffset >= 16 ) && // RPC connection-oriented header length
- ( UINT8( Framedata, Offset + 2 ) == 0 || // RPC ptype, connection-oriented packet types
- UINT8( Framedata, Offset + 2 ) == 2 ||
- UINT8( Framedata, Offset + 2 ) == 3 ||
- UINT8( Framedata, Offset + 2 ) >= 11 && UINT8( Framedata, Offset + 2 ) <= 19 ) &&
- ( UINT8( Framedata, Offset + 4 ) & 0xEE ) == 0 && // RPC integer and character data representation, drep octet0
- UINT8( Framedata, Offset + 5 ) < 4 && // RPC floating point data representation, drep octet1
- UINT8( Framedata, Offset + 6 ) == 0 && // RPC data representation drep octet2 & 3 m.b.z.
- UINT8( Framedata, Offset + 7 ) == 0 :
- MSRPC MSRPC;
- case Property.SMBFileName.contains("MsFteWds"):
- MSWSP MSWSP;
- case (UINT32( FrameData, Offset ) >= 200 && UINT32( FrameData, Offset ) <= 209) ||
- (UINT32( FrameData, Offset ) >= 230 && UINT32( FrameData, Offset ) <= 233) ||
- UINT32( FrameData, Offset ) == 215 ||
- UINT32( FrameData, Offset ) == 217 ||
- UINT32( FrameData, Offset ) == 225 ||
- UINT32( FrameData, Offset ) == 228 ||
- UINT32( FrameData, Offset ) == 236:
- // 200-209, 215, 217, 225, 228, 230-233, 236
- CIS CIS;
-
- default:
- switch
- {
- case DataCount > 0:
- BLOB(DataCount) Data;
- }
- }
- };
- //
- //http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ipc/base/mailslots.asp
- //
- case 3:
- struct MailSlotsBuffer
- {
- [
- Post.SMBComPramSummary = ", FileName = " + SMBFileNameValue,
- Post.MailSlotName = SMBFileNameValue
- ]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) FileName;
- switch
- {
- case DataOffset - CurrentProtocolOffset > 0:
- BLOB(DataOffset-CurrentProtocolOffset) Pad2;
- }
- switch
- {
- case MailSlotName.Contains("\\BROWSE"):
- BROWSER Browser;
- case MailSlotName.Contains("\\NET"):
- NetLogon Netlogon;
- case MailSlotName.Contains("\\tapi"):
- [
- SMBComSummary = SMBComSummary + ", tapi",
- SMBComPramSummary = SMBComPramSummary + FormatString(", TRP InitContext = 0x%08X", this)
- ]
- UINT32 InitContext;
- case MailSlotName.Contains("\\MESSNGR"):
- _struct MESSENGER
- {
- BLOB(DataCount) Data;
- }
- default:
- BLOB(SMBBytesEndOffset - FrameOffset) MailSlotData;
- }
- };
- default:
- _struct OthersBuffer
- {
- switch
- {
- case ParameterOffset - CurrentProtocolOffset > 0:
- BLOB(ParameterOffset-CurrentProtocolOffset) Pad1;
- }
- switch
- {
- case ParameterCount > 0:
- BLOB(ParameterCount) Parameters;
- }
- switch
- {
- case DataOffset - CurrentProtocolOffset > 0:
- BLOB(DataOffset-CurrentProtocolOffset) Pad2;
- }
- switch
- {
- case DataCount > 0:
- BLOB(DataCount) Data;
- }
- }
- }
- }
-
- Table SMBPipeStatusTable(status)
- {
- switch(status)
- {
- case 1: "Disconnected by server";
- case 2: "Listening";
- case 3: "Connection to server is okay";
- case 4: "Server end of pipe is closed";
- default: "Uknown";
- }
- }
-
- struct SMBComTransactionResp
- {
- [
- Conversation.SMBTransactSetupCountPerFrame$[FrameNumber] = conversation.SMBTransactSetupCount$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- TransactRequestSetupCount = Conversation.SMBTransactSetupCountPerFrame$[FrameNumber],
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Conversation.SMBTransactFuncPerFrame$[FrameNumber] = conversation.SMBTransactPipeFuncTable$[MakeByteArray(SMBTID, SMBPID,SMBMID)],
- Property.PipeFunction = Conversation.SMBTransactFuncPerFrame$[FrameNumber],
- SMBComSummary = SMBComSummary + FormatString(", %s", SMBTransactSetupCountTable(TransactRequestSetupCount)),
- SMBComSummary = PipeFunction ? SMBComSummary + ", " + SMBTransNamePipeFunctionTable(PipeFunction): SMBComSummary,
- SMBComPramSummary = (TransactRequestSetupCount == 2) ? SMBComPramSummary + FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "") : SMBComPramSummary,
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : (SMBFileID ? MakeByteArray(SMBFileID, SMBFIDCount) : MakeByteArray(SMBTID, SMBPID, SMBMID) ) ),
- Post.Conversation.ConversationDescription
- = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID)
- : SMBFileID ? FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID)
- : FormatString("(TID:0x%04X, PID:0x%04X, MID:0x%04X) ConvID = %d", SMBTID, SMBPID, SMBMID, ConvID)
- ]
- UINT8 WordCount;
- UINT16 TotalParameterCount;
- UINT16 TotalDataCount;
- UINT16 Reserved;
- UINT16 ParameterCount;
- UINT16 ParameterOffset;
- UINT16 ParamDisplacement;
- UINT16 DataCount;
- [SMBDataAlignCount = DataOffset - ParameterOffset - ParameterCount]
- UINT16 DataOffset;
- UINT16 DataDisplacement;
- UINT8 SetupCount;
- UINT8 Reserved2;
- switch
- {
- // SetupCount could be set to any value if TRANS_CALL_NMPIPE response fails with STATUS_BUFFER_OVERFLOW
- case (Property.SMBStatus & 0x30000005) != 0x00000005 && SetupCount > 0:
- _struct ErrorSetupWords
- {
- ReportParserError(ParserErrorProtocolClassWindows, "SMB", FormatString("SMB: Unknown Transaction Response SetupWords, SetupCount = %d", SetupCount)) TransactionSetupWordsError;
- UINT16 SetupWords[SetupCount];
- }
- };
- UINT16 ByteCount;
- switch
- {
- case ParameterOffset - CurrentProtocolOffset > 0:
- BLOB(ParameterOffset-CurrentProtocolOffset) Pad1;
- }
- //
- // This is Transaction Parameter Block
- //
- switch
- {
- case ParameterCount > 0 && ParamDisplacement == 0:
- switch
- {
- case !(ConvID > 0):
- _struct ReportWarning
- {
- ReportParserWarning( "SMB", "May not parse correctly when conversation off") ParserWarning;
- BLOB(ParameterCount) Parameters;
- };
- case Property.TransactRequestSetupCount == 0:
- RAP(ParameterCount, DataCount) RAPResponse;
- case Property.TransactRequestSetupCount == 1:
- case Property.TransactRequestSetupCount == 2:
- switch(Property.PipeFunction)
- {
- //TRANS_GetNamedPipeHandleState
- case 0x21:
- [DataFieldByteOrder = LittleEndian]
- UINT16 PipeState
- {
- UINT16 ICount:8 = FormatString(" (%s) %d", this.ToBitString, this);
- UINT16 ReadMode:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Pipe should be read as a message" : "Pipe should be read as a byte stream");
- UINT16 Reserved_bit9:1 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT16 NamedPipeType:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Pipe is a message pipe" : "Pipe is a byte stream pipe");
- UINT16 Reserved_bits11_13:3 = FormatString("(%s) Reserved", this.ToBitString);
- UINT16 EndPoint:1 = FormatString(" (%s) %s", this.ToBitString, this ? "The server end of the pipe" : "The client end of the pipe");
- UINT16 Blocking:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Reads and writes return immediately if no data" : "Reads and writed block if no data avaliable");
- }
- //TRANS_PEEK_NMPIPE Response
- case 0x23:
- struct
- {
- UINT16 ReadDataAvailable;
- UINT16 MessageBytesLength;
- UINT16 NamedPipeState = SMBPipeStatusTable(this);
- }
- //TRANS_RawWriteNamedPipe
- case 0x31:
- UINT16 BytesWritten;
- default:
- BLOB(ParameterCount) Parameters;
- }
- case Property.TransactRequestSetupCount == 3:
- switch(Property.PipeFunction)
- {
- //TRANS_MAILSLOT_WRITE
- case 0x0001:
- UINT16 OperationStatus;
- }
- }
- }
- switch
- {
- case DataOffset - CurrentProtocolOffset > 0:
- BLOB(DataOffset-CurrentProtocolOffset) Pad2;
- }
-
- //
- // This is Transaction Data Block
- //
- switch
- {
- case DataCount > 0 && DataDisplacement == 0:
- switch
- {
- case UINT8( Framedata, Offset ) == 0x05 && // RPC Protocol Version = 5, Connection-oriented RPC
- ( UINT8( Framedata, Offset + 1 ) == 0 || UINT8( Framedata, Offset + 1 ) == 1 ) && // RPC minor version
- ( FrameLength - frameOffset >= 16 ) && // RPC connection-oriented header length
- ( UINT8( Framedata, Offset + 2 ) == 0 || // RPC ptype, connection-oriented packet types
- UINT8( Framedata, Offset + 2 ) == 2 ||
- UINT8( Framedata, Offset + 2 ) == 3 ||
- UINT8( Framedata, Offset + 2 ) >= 11 && UINT8( Framedata, Offset + 2 ) <= 19 ) &&
- ( UINT8( Framedata, Offset + 4 ) & 0xEE ) == 0 && // RPC integer and character data representation, drep octet0
- UINT8( Framedata, Offset + 5 ) < 4 && // RPC floating point data representation, drep octet1
- UINT8( Framedata, Offset + 6 ) == 0 && // RPC data representation drep octet2 & 3 m.b.z.
- UINT8( Framedata, Offset + 7 ) == 0 :
- [
- PayloadStart(
- NetworkDirection, /* direction */
- Property.SMBFileID, //identifier
- 0, //sequence token
- 0, //next sequence
- UINT16( FrameData, FrameOffset + 8 ), //total payload length
- SMBStatus != 0x80000005||(DataDisplacement == 0 && SMBStatus == 0x80000005), //is first
- 0, //is last
- RssmblyIndStartBit+RssmblyIndLengthBit, //has start and end indication
- 0x0000, /* Properties... */
- SMBResponse,
- 0x0000,
- ""
- )
- ]
- MSRPC MSRPC;
-
- default:
- [
- PayloadStart(
- NetworkDirection, /* direction */
- 0, /* id */
- DataDisplacement, /* sequence token */
- DataDisplacement + DataCount, /* next sequence token */
- 0, /* total payload length */
- (ParamDisplacement == 0) && (DataDisplacement == 0), /* is first */
- (TotalParameterCount == ParamDisplacement + ParameterCount) && (TotalDataCount == DataDisplacement + DataCount), /* is last */
- RssmblyIndStartBit+RssmblyIndEndBit+RssmblySequenceBit, //has start and end indication
- 0x0000, /* Properties... */
- SMBResponse,
- 0x0000,
- ""
- )
- ]
- switch
- {
- case !(ConvID > 0):
- _struct ReportWarning
- {
- ReportParserWarning( "SMB", "May not parse correctly when conversation off") ParserWarning;
- BLOB(DataCount) Data;
- };
- //TRANS_GetNamedPipeInfo
- case PipeFunction == 0x22:
- struct PipeInformationDataBlock
- {
- UINT16 OutputBufferSize;
- UINT16 InputBufferSize;
- UINT8 MaximumInstances;
- UINT8 CurrentInstances;
- UINT8 PipeNameLength;
- [Post.SMBComPramSummary = SMBComPramSummary + ", PipeName = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) PipeName;
- }
- //TRANS_PeekNamedPipe
- case PipeFunction == 0x23:
- BLOB(DataCount) PeekedData;
- case Property.SMBFileName.contains("MsFteWds"):
- MSWSP MSWSP;
- case (UINT32( FrameData, Offset ) >= 200 && UINT32( FrameData, Offset ) <= 209) ||
- (UINT32( FrameData, Offset ) >= 230 && UINT32( FrameData, Offset ) <= 233) ||
- UINT32( FrameData, Offset ) == 215 ||
- UINT32( FrameData, Offset ) == 217 ||
- UINT32( FrameData, Offset ) == 225 ||
- UINT32( FrameData, Offset ) == 228 ||
- UINT32( FrameData, Offset ) == 236:
- // 200-209, 215, 217, 225, 228, 230-233, 236
- CIS CIS;
- case TransactRequestSetupCount == 0:
- // This may be RAP (Remote Administration Protocol, was Remote API in Netmon2) response datas
- BLOB(DataCount) RAPData;
- default:
- BLOB(DataCount) Data;
- }
- };
- case DataCount > 0 && DataDisplacement > 0:
- //
- // This is a Fragmented Ttransact Frame
- //
- [
- PayloadStart(
- NetworkDirection, /* direction */
- 0, /* id */
- DataDisplacement, /* sequence token */
- DataDisplacement + DataCount, /* next sequence token */
- 0, /* total payload length */
- (ParamDisplacement == 0) && (DataDisplacement == 0), /* is first */
- (TotalParameterCount == ParamDisplacement + ParameterCount) && (TotalDataCount == DataDisplacement + DataCount), /* is last */
- RssmblyIndStartBit+RssmblyIndEndBit+RssmblySequenceBit, //has start and end indication
- 0x0000, /* Properties... */
- SMBResponse,
- 0x0000,
- ""
- )
- ]
- BLOB(DataCount > FrameLength - FrameOffset ? FrameLength - FrameOffset : DataCount) ContinuationData;
- }
- }
-
- struct SMBComTransactionSecondaryRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x08");
- UINT16 TotalParameterCount;
- UINT16 TotalDataCount;
- UINT16 ParameterCount;
- UINT16 ParameterOffset;
- UINT16 ParamDisplacement;
- UINT16 DataCount;
- UINT16 DataOffset;
- UINT16 DataDisplacement;
- [
- SMBFileID = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 ByteCount;
- switch
- {
- case ParameterOffset - CurrentProtocolOffset > 0:
- BLOB(ParameterOffset-CurrentProtocolOffset) Pad1;
- }
- switch
- {
- case ParameterCount > 0:
- BLOB(ParameterCount) Parameters;
- }
- switch
- {
- case DataOffset - CurrentProtocolOffset > 0:
- BLOB(DataOffset-CurrentProtocolOffset) Pad2;
- }
- switch
- {
- case DataCount > 0:
- BLOB(DataCount) Data;
- }
- }
-
- [Property.SMBInterimResponse = true]
- struct SMBComInterimTransactionResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber]
- ]
- UINT8 WordCount;
- switch
- {
- case SMBFileID:
- [
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- _struct BuildConversationForInterimResponse
- {
- UINT16 ByteCount;
- };
- default:
- UINT16 ByteCount;
- }
- }
-
- struct SMBComWriteRequestAndXRequest
- {
- UINT8 WordCount;
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 ANDXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FID;
- [Property.SMBFileOffset]
- UINT32 FileOffset;
- UINT32 Timeout;
- SMBWriteMode WriteMode;
- UINT16 Remaining;
- UINT16 DataLengthHigh;
- [Property.SMBDataLength = DataLengthHigh * 65536 + this]
- [post.property.SmbFileFragmentLen = Property.SMBDataLength]
- UINT16 DataLength;
- UINT16 DataOffset;
- switch(WordCount)
- {
- case 14:
- [
- SMBLargeFileOffset = this <> 0xFFFFFFFF && this > 0,
- Property.SMBFileOffset = (this <> 0xFFFFFFFF) ? (SMBFileOffset + this * 4294967296) : SMBFileOffset
- ]
- UINT32 OffsetHigh;
- }
- [SMBComPramSummary = SMBComPramSummary + ", "
- + SMBFormatNumber("%u", FALSE, Property.SMBDataLength)
- + " bytes at Offset "
- + SMBFormatNumber("%u", SMBIsLargeFileOffset, SMBFileOffset)
- ]
- UINT16 ByteCount;
- switch
- {
- case CurrentProtocolOffset < DataOffset:
- BLOB(DataOffset - CurrentProtocolOffset) Pad;
- }
- switch
- {
- case UINT8( Framedata, Offset ) == 0x05 && // RPC Protocol Version = 5, Connection-oriented RPC
- ( UINT8( Framedata, Offset + 1 ) == 0 || UINT8( Framedata, Offset + 1 ) == 1 ) && // RPC minor version
- ( FrameLength - frameOffset >= 16 ) && // RPC connection-oriented header length
- ( UINT8( Framedata, Offset + 2 ) == 0 || // RPC ptype, connection-oriented packet types
- UINT8( Framedata, Offset + 2 ) == 2 ||
- UINT8( Framedata, Offset + 2 ) == 3 ||
- UINT8( Framedata, Offset + 2 ) >= 11 && UINT8( Framedata, Offset + 2 ) <= 19 ) &&
- ( UINT8( Framedata, Offset + 4 ) & 0xEE ) == 0 && // RPC integer and character data representation, drep octet0
- UINT8( Framedata, Offset + 5 ) < 4 && // RPC floating point data representation, drep octet1
- UINT8( Framedata, Offset + 6 ) == 0 && // RPC data representation drep octet2 & 3 m.b.z.
- UINT8( Framedata, Offset + 7 ) == 0 :
- MSRPC MSRPC;
- case AsciiString( FrameData, Offset, 4 ) == "MSCF":
- BLOB(Property.SMBDataLength > (FrameLength - FrameOffset)?(FrameLength - FrameOffset):Property.SMBDataLength) CabinetFile;
- default:
- struct
- {
- [Local.SMBFileNameRemain = Property.SMBFileName]
- [MaxLoopCount = 200]
- while [Local.SMBFileNameRemain.ContainsBin(2, "5C")]
- {
- [Local.SMBFileNameRemain = UnicodeString(Local.SMBFileNameRemain, 2)]
- struct{};
- }
- switch
- {
- case contains(Property.SMBFileName, "\\ci_skads"):
- CIS CIS;
- case Local.SMBFileNameRemain.containsBin(2, "2E")://It's not pipe data when include "." in the file name
- switch
- {
- case conversation.Parent.SmbIsNotPipe$[property.SMBTID] || IsValueNone(conversation.Parent.SmbIsNotPipe$[property.SMBTID]):
- [
- PayloadStart(
- NetworkDirection, /* direction */
- 0, /* id */
- property.SMBFileOffset, /* sequence token */
- property.SMBFileOffset + property.SmbFileFragmentLen, /* next sequence token */
- 0, /* total payload length */
- Property.IsMoreThanOneSMBOverTcp ? 1 : property.SMBFileOffset == 0, /* is first */
- Property.IsMoreThanOneSMBOverTcp ? 1 : 0, /* is last */
- RssmblyIndStartBit + RssmblyIndEndBit + RssmblySequenceBit,
- 0x0000,
- 0,
- 0x0000,
- Property.SMBFileName
- )
- ]
- [DataFieldFrameLength = FrameOffset + property.SmbFileFragmentLen]
- switch
- {
- case property.SMBFileOffset == 0:
- FileTypeContent FileTypeContent;
- default:
- blob(FrameLength - FrameOffset) ContinualData;
- }
- default:
- BLOB(Property.SmbFileFragmentLen) Payload;
- }
- default:
- BLOB(Property.SmbFileFragmentLen) PipePayload;
- }
- }
- }
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SMBComWriteAndXResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x06");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 ANDXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %d bytes", Count)]
- UINT16 Count;
- UINT16 Available;
- UINT16 CountHigh;
- UINT16 Reserved = MUSTBeSetToTable( this, "0x0000");
- UINT16 ByteCount;
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SMBComLockAndReadRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x05");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 CountOfBytesToRead;
- [Post.SMBComPramSummary = SMBComPramSummary + FormatString(", FileOffset = %d", ReadOffsetInBytes)]
- UINT32 ReadOffsetInBytes;
- UINT16 EstimateOfRemainingBytesToBeRead;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComLockAndReadResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x05");
- UINT16 CountOfBytesReturned;
- BLOB(8) Reserved;
- UINT16 ByteCount;
- UINT8 BufferType = SMBBufferStringFormatsTable(this);
- UINT16 CountOfBytesRead;
- BLOB(DataLength) Bytes;
- }
-
- struct SMBComWriteRequestAndUnlockRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x05");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 CountOfBytesToWrite;
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %u bytes at Offset %u", CountOfBytesToWrite, WriteOffsetInBytes)]
- UINT32 WriteOffsetInBytes;
- UINT16 EstimateOfRemainingBytesToBeWritten;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- UINT16 DataLength;
- BLOB(DataLength) Data;
- }
-
- struct SMBComWriteAndUnlockResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %d bytes", CountOfBytesWritten)]
- UINT16 CountOfBytesWritten;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComReadRequestRawRequest
- {
- UINT8 WordCount;
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.Conversation.SMBReadRawFileId$[Property.TCPNextSeqNumber] = Property.SMBFileId,
- Post.Conversation.SMBReadRawFileIdCount$[Property.TCPNextSeqNumber] = Property.SMBFIDCount,
- Post.Conversation.SMBReadRawFileName$[Property.TCPNextSeqNumber] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- [SMBFileOffset]
- UINT32 Offset;
- UINT16 MaxCountOfBytesToReturn;
- UINT16 MinCountOfBytesToReturn;
- UINT32 TimeOut = FormatString("%d milli secs (ignored)",this);
- UINT16 Reserved= ShouldBeSetToTable( this, "0x0000");
- switch(WordCount)
- {
- case 10:
- [
- SMBIsLargeFileOffset = this <> 0xFFFFFFFF && this > 0,
- SMBFileOffset = (this <> 0xFFFFFFFF) ? (SMBFileOffset + this * 4294967296) : SMBFileOffset
- ]
- UINT32 OffsetHigh;
- }
- [SMBComPramSummary = SMBComPramSummary + ", "
- + SMBFormatNumber("%u", FALSE, MaxCountOfBytesToReturn)
- + " bytes at Offset "
- + SMBFormatNumber("%u", SMBIsLargeFileOffset, SMBFileOffset)
- ]
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComReadRawResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount;
- BLOB(WordCount*2) WordData;
- UINT16 ByteCount;
- BLOB(ByteCount) ByteData;
- }
-
- struct SMBComReadRequestMPXRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x08");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT32 FileOffset;
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %u bytes at Offset %u", MaxCountOfBytesToReturn, FileOffset)]
- UINT16 MaxCountOfBytesToReturn;
- UINT16 MinCountOfBytesToReturn;
- UINT32 Timeout = FormatString("%d milli secs (ignored)",this);
- UINT16 Reserved = ShouldBeSetToTable( this, "0x0000");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- //#? This command is enabled for direct-IPX networks only,
- //#? and is used by a client to request an MPX read for a large range.
- //#? Direct-IPX networks are no longer common and are not a default configuration.
- struct SMBComReadRequestMPXSecondaryRequest
- {
- UINT8 WordCount;
- BLOB(WordCount*2) WordParameters;
- UINT16 ByteCount;
- BLOB(ByteCount) ByteParameters;
- }
-
- struct SMBComReadMPXResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x08");
- UINT32 FileOffset;
- UINT16 Count;
- UINT16 Remaining;
- UINT16 DataCompactionMode = MUSTBeSetToTable( this, "0x0000");
- UINT16 Reserved = MUSTBeSetToTable( this, "0x0000");
- UINT16 DataLength;
- UINT16 DataOffset;
- UINT16 ByteCount;
- switch
- {
- case CurrentProtocolOffset < DataOffset:
- BLOB(DataOffset-CurrentProtocolOffset) Pad;
- }
- switch
- {
- case DataLength > 0:
- BLOB(DataLength) Data;
- }
- }
-
- struct SMBComWriteRequestRawRequest
- {
- UINT8 WordCount;
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.Conversation.SMBWriteRawFileID$[Property.TCPNextSeqNumber] = Property.SMBFileID,
- Post.Conversation.SMBWriteRawFileIdCount$[Property.TCPNextSeqNumber] = Property.SMBFIDCount,
- Post.Conversation.SMBWriteRawFileName$[Property.TCPNextSeqNumber] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 CountOfBytes;
- UINT16 Reserved1;
- [SMBFileOffset]
- UINT32 FileOffset;
- UINT32 Timeout = FormatString("%d milli secs (ignored)",this);
- SMBWriteMode WriteMode;
- UINT32 Reserved2 = MUSTBeSetToTable( this, "0x00000000");
- UINT16 DataLength;
- UINT16 DataOffset;
- switch(WordCount)
- {
- case 14:
- [
- SMBIsLargeFileOffset = this <> 0xFFFFFFFF && this > 0,
- SMBFileOffset = (this <> 0xFFFFFFFF) ? (SMBFileOffset + this * 4294967296) : SMBFileOffset
- ]
- UINT32 OffsetHigh;
- }
- [SMBComPramSummary = SMBComPramSummary + ", "
- + SMBFormatNumber("%u", FALSE, CountOfBytes)
- + " bytes at Offset "
- + SMBFormatNumber("%u", SMBIsLargeFileOffset, SMBFileOffset)
- ]
- UINT16 ByteCount;
- switch
- {
- case CurrentProtocolOffset < DataOffset:
- BLOB(DataOffset-CurrentProtocolOffset) Pad;
- }
- UINT8 Data[DataLength];
- }
-
- struct SMBComWriteRawResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- UINT16 Remaining;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComWriteRequestMPXRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x0C");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 TotalByteCount;
- UINT16 Reserved;
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %u bytes at Offset %u", TotalByteCount, ByteOffsetToBeginWrite)]
- UINT32 ByteOffsetToBeginWrite;
- UINT32 TimeOut = FormatString("%d milli secs (ignored)",this);
- SMBWriteMode WriteMode;
- UINT32 RequestMask;
- UINT16 DataLength;
- UINT16 DataOffset;
- UINT16 ByteCount;
- switch
- {
- case DataOffset > CurrentProtocolOffset:
- BLOB(DataOffset - CurrentProtocolOffset) Padding;
- }
- switch
- {
- case DataLength > 0:
- BLOB(DataLength) Data;
- }
- }
-
- struct SMBComWriteMPXResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x02");
- UINT32 ResponseMask;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComWriteRequestMPXSecondaryRequest
- {
- UINT8 WordCount;
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 Count;
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %u bytes at Offset %u", Count, FileOffset)]
- UINT32 FileOffset;
- UINT32 Reserved;
- UINT16 DataLength;
- UINT16 DataOffset;
- UINT16 ByteCount;
- switch
- {
- case DataOffset > CurrentProtocolOffset:
- BLOB(DataOffset - CurrentProtocolOffset) Padding;
- }
- switch
- {
- case DataLength > 0:
- BLOB(DataLength) Data;
- }
- }
-
- struct SMBComWriteCompleteResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount;
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %d bytes", Count)]
- UINT16 Count;
- UINT16 ByteCount;
- }
-
- struct SMBComSetInformationRequest2
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x07");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- SMBDATE CreationDate;
- SMBTIME CreationTime;
- SMBDATE LastAccessDate;
- SMBTIME LastAccessTime;
- SMBDATE LastWriteDate;
- SMBTIME LastWriteTime;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- UINT8 Buffer;
- }
-
- struct SMBComSetInformation2Resp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComQueryInformationRequest2
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComQueryInformation2Resp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x0B");
- SMBDATE CreationDate;
- SMBTIME CreationTime;
- SMBDATE LastAccessDate;
- SMBTIME LastAccessTime;
- SMBDATE LastWriteDate;
- SMBTIME LastWriteTime;
- UINT32 FileDataSize;
- UINT32 FileAllocationSize;
- SMBFileAttributes FileAttributes;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComWriteRequestAndCloseRequest
- {
- UINT8 WordCount;
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 CountOfBytesToWrite;
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %u bytes at Offset %u", CountOfBytesToWrite, WriteOffsetInBytes)]
- UINT32 WriteOffsetInBytes;
- SMBTIME LastWriteTime;
- SMBDATE LastWriteDate;
- switch(WordCount)
- {
- case 12:
- UINT32 Reserved[3];
- }
- UINT16 ByteCount;
- UINT8 Pad;
- UINT8 Buffer[CountOfBytesToWrite];
- }
-
- struct SMBComWriteAndCloseResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount), Disconnected),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %d bytes", CountOfBytesWritten)]
- UINT16 CountOfBytesWritten;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComCreateDirectoryRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = ", Directory = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) DirectoryName;
- }
-
- struct SMBComCreateDirectoryResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBRequestNTCreateAndX
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x18");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- UINT8 Reserved;
- UINT16 NameLength;
- SMBNTCreateFlags Flags;
- UINT32 RootDirectotyFID;
- SMBAccessMask DesiredAccess;
- SMBLargeInteger AllocationSize;
- SMBNTFileAttributes ExtFileAttributes;
- SMBNTCreateShareAccess ShareAccess;
- UINT32 CreateDisposition = SMBNTCreateDisposition(this);
- SMBNTCreateOptions CreateOptions;
- UINT32 ImpersonationLevel = SMBNTImpersonationLevelTable(UINT8( Framedata, Offset ));
- SMBSecurityFlags SecurityFlags;
- [Post.SMBBytesEndOffset = frameOffset + 2 + ByteCount]
- UINT16 ByteCount;
- //#? NOT mentioned in Doc
- //UINT8 Pad;
- switch(Property.SMBUnicode)
- {
- case 0:
- _struct AsciiFileName
- {
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- AsciiString FileName;
- }
- case 1:
- _struct UnicodeFileName
- {
- ALIGN2 Align;
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- UnicodeString FileName;
- }
- }
- switch
- {
- case FrameOffset < SMBBytesEndOffset:
- BLOB (SMBBytesEndOffset - FrameOffset) Padding;
- }
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SMBResponseNTCreateAndX
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x1A");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- UINT8 OpLockLevel = SMBOplockTable(this);
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- conversation.SMBFileNamePerFrame$[FrameNumber] = conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Property.SMBFileName = conversation.SMBFileNamePerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCount$[SMBFileID] = conversation.SMBFileIDCount$[SMBFileID] + 1,
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT32 CreateDisposition = SMBNTCreateDisposition(this);
- //#? SMB Time Structure
- FILETIME CreationTime;
- FILETIME LastAccessTime;
- FILETIME LastWriteTime;
- FILETIME LastChangeTime;
- SMBNTFileAttributes ExtFileAttributes;
- SMBLargeInteger AllocationSize;
- SMBLargeInteger EndOfFile;
- UINT16 ResourceType = SMBFileTypeTable(this);
- [Local.SMBFileAttributesInfo = 0]
- switch(ResourceType)
- {
- case 1:
- case 2:
- SMBDeviceState DeviceState;
- default:
- UINT16 FileStatus
- {
- UINT16 NoEAs:1 = FormatString(" (%s) File or Directory has %sextended attributes (NO_EAS)", this.ToBitString, this ? "NO ":"");
- UINT16 NoSubstreams:1 = FormatString("(%s) File or Directory has %ssubstreams (NO_SUBSTREAMS)", this.ToBitString, this ? "NO ":"");
- UINT16 NoReparseTag:1 = FormatString("(%s) File or Directory is %sa reparse point (NO_REPARSETAG)", this.ToBitString, this ? "NOT ":"");
- UINT16 Reserved:13 = FormatString(" (%s) Reserved", this.ToBitString);
- };
- }
- BOOLEAN Directory = this ? "This is a directory" : "NOT a directory";
- switch
- {
- case WordCount == 0x2A :
- _struct ExtendedCreateAndx
- {
- GUID(FALSE) VolumeGUID;
- UINT64 FileId;
- SMBAccessMask MaxAccessRights;
- SMBAccessMask GuestMaxAccessRights;
- };
- }
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SMBComTreeConnectRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount;
- //must be 0x04
- UINT8 BufferFormat1 = SMBBufferStringFormatsTable(this);
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) Path;
- //must be 0x04
- UINT8 BufferFormat2 = SMBBufferStringFormatsTable(this);
- AsciiString Password;
- //must be 0x04
- UINT8 BufferFormat3 = SMBBufferStringFormatsTable(this);
- [conversation.SmbIsNotPipeConv = !this.contains("IPC")]
- AsciiString Service = SMBTreeConnectAndXServiceTable(this);
- }
-
- struct SMBComTreeConnectResp
- {
- //The value must be 2.
- UINT8 WordCount = MUSTBeSetToTable( this, "0x02");
- UINT16 MaxBufferSize;
- [conversation.SmbIsNotPipe$[this] = conversation.SmbIsNotPipeConv]
- UINT16 Tid;
- //This value must be 0.
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SmbComTreeConnectAndxClientRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x04");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- [DataFieldByteOrder = LittleEndian]
- UINT16 Flags = FormatString("%s Tree connection to Tid, %s security", (TidDisconnected ? "Disconnect" : "Retain"), ((ExSecuritySignatures || ExSecurityResponse) ? "Extended" : "No extended"))
- {
- UINT16 TidDisconnected:1 = FormatString(" (%s) Tree connection to Tid should %s", this.ToBitString, this ? "be disconnected" : "NOT be disconnected" );
- UINT16 Windows9X:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Set by Windows 9x (ignored)" : "Should be Zero" );
- UINT16 ExSecuritySignatures:1 = FormatString("(%s) %s extended security signatures", this.ToBitString, this ? "Requesting" : "NOT requesting" );
- UINT16 ExSecurityResponse:1 = FormatString(" (%s) %s extended security response", this.ToBitString, this ? "Requesting" : "NOT requesting" );
- UINT16 Reserved:15 = FormatString(" (%s) Reserved", this.ToBitString );
- };
- UINT16 PasswordLength;
- UINT16 ByteCount;
- AsciiString( PasswordLength ) Password;
- [Post.SMBComPramSummary = ", Path = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) Path;
- [SMBComPramSummary = SMBComPramSummary + ", Service = " + this]
- [conversation.SmbIsNotPipeConv = !this.contains("IPC")]
- AsciiString Service = SMBTreeConnectAndXServiceTable(this);
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SMBComTreeConnectAndXBeforeLANMAN2Resp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x03");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- UINT16 ByteCount;
- [SMBComPramSummary = ", Service = " + this]
- [conversation.SmbIsNotPipe$[property.SMBTID] = conversation.SmbIsNotPipeConv]
- AsciiString Service = SMBTreeConnectAndXServiceTable(this);
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- Table SMBCSCTable(value)
- {
- switch (value)
- {
- case 0: "Automatic file-by-file reintegration is NOT allowed on the share (SMB_CSC_CACHE_MANUAL_REINT)";
- case 1: "Automatic file-by-file reintegration is allowed on the share (SMB_CSC_CACHE_AUTO_REINT)";
- case 2: "Autocaching for programs is enabled (SMB_CSC_CACHE_VDO)";
- case 3: "No client-side caching is allowed on the share (SMB_CSC_NO_CACHING)";
- }
- }
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBOptionalSupport = FormatString("%d (0x%04X)", UINT16(FrameData,Offset),UINT16(FrameData,Offset))
- {
- UINT16 SupportSearchBits:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Search bits supported" : "Search bits NOT supported"), "SMB_SUPPORT_SEARCH_BITS");
- UINT16 ShareIsInDFS:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "DFS share" : "NOT a DFS share") , "SMB_SHARE_IS_IN_DFS");
- UINT16 CacheSupportMask:2 = FormatString(" (%s) %s" , this.ToBitString , SMBCSCTable(this));
- UINT16 UniqueFileName:1 = FormatString(" (%s) %s (%s)" , this.ToBitString , (this ? "Client intends to cache share namespace" : "Client will NOT cache share namespace"), "SMB_UNIQUE_FILE_NAME");
- UINT16 ExtendedSignatures:1 = FormatString("(%s) %s (%s)" , this.ToBitString , (this ? "Extended signatures supported" : "Extended signatures NOT supported") , "SMB_EXTENDED_SIGNATURES");
- UINT16 Reserved_bits6_15:10 = FormatString(" (%s) Reserved" , this.ToBitString);
- }
-
- struct SMBComTreeConnectAndXAfterLANMAN2Resp
- {
- UINT8 WordCount;//3
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- SMBOptionalSupport OptionalSupport;
- UINT16 ByteCount;
- [SMBComPramSummary = ", Service = " + this]
- [conversation.SmbIsNotPipe$[property.SMBTID] = conversation.SmbIsNotPipeConv]
- AsciiString Service = SMBTreeConnectAndXServiceTable(this);
- SMBFileNameString(Property.SMBUnicode, FALSE, 0, ProtocolOffset) NativeFS;
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SmbComTreeConnectAndxServerResponseExtension
- {
- UINT8 WordCount;//7
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- SMBOptionalSupport OptionalSupport;
- SMBAccessMask MaximalShareAccessRights;
- SMBAccessMask GuestMaximalShareAccessRights;
-
- [Post.SMBBytesEndOffset = frameOffset + 2 + ByteCount]
- UINT16 ByteCount;
- [SMBComPramSummary = ", Service = " + this]
- [conversation.SmbIsNotPipe$[property.SMBTID] = conversation.SmbIsNotPipeConv]
- AsciiString Service = SMBTreeConnectAndXServiceTable(this);
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) NativeFileSystem = FormatString("%s",SMBFileNameValue? SMBFileNameValue :"For resources that are not backed by a file system, such as the IPC$ share used for named pipes, this field MUST be set to a single null character");
- switch
- {
- case frameOffset < SMBBytesEndOffset &&
- frameOffset < ProtocolOffset + ANDXOffset &&
- frameOffset < frameLength:
- BLOB(SMBBytesEndOffset - frameOffset) ExtraBytePrameter;
- }
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
- struct SMBComOpenRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x02");
- SMBAccessMode AccessMode;
- SMBFileAttributes SearchAttributes;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- switch(SMBUnicode)
- {
- case 0:
- _struct AsciiFileName
- {
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- AsciiString FileName;
- }
- case 1:
- _struct UnicodeFileName
- {
- ALIGN2 Align;
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- UnicodeString FileName;
- }
- }
- }
-
- struct SMBComOpenResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x07");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- conversation.SMBFileNamePerFrame$[FrameNumber] = conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Property.SMBFileName = conversation.SMBFileNamePerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCount$[SMBFileID] = conversation.SMBFileIDCount$[SMBFileID] + 1,
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- SMBFileAttributes FileAttributes;
- UINT32 LastModified = FormatString("%d sec(s)",this);
- UINT32 FileSize;
- SMBAccessMode AccessMode;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComCreateRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x03");
- SMBFileAttributes FileAttribute;
- //#? Incomplete
- UNIXTIMESTAMP CreationTime;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- switch(SMBUnicode)
- {
- case 0:
- _struct AsciiFileName
- {
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- AsciiString FileName;
- }
- case 1:
- _struct UnicodeFileName
- {
- ALIGN2 Align;
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- UnicodeString FileName;
- }
- }
- }
-
- struct SMBComCreateResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- conversation.SMBFileNamePerFrame$[FrameNumber] = conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Property.SMBFileName = conversation.SMBFileNamePerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCount$[SMBFileID] = conversation.SMBFileIDCount$[SMBFileID] + 1,
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComQueryInformationRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- switch(Property.SMBUnicode)
- {
- case 0:
- _struct AsciiFileName
- {
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- AsciiString FileName;
- }
- case 1:
- _struct UnicodeFileName
- {
- ALIGN2 Align;
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- UnicodeString FileName;
- }
- }
- }
-
- struct SMBComQueryInformationResp
- {
- [
- conversation.SMBFileNamePerFrame$[FrameNumber] = conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Property.SMBFileName = conversation.SMBFileNamePerFrame$[FrameNumber],
- Post.SMBComPramSummary = FormatString(", FileName = %s", Property.SMBFileName),
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID)
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x0A");
- SMBFileAttributes FileAttribute;
- UNIXTIMESTAMP LastWriteTime;
- UINT32 FileSize;
- UINT16 Reserved[5];
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComSetInformationRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x08");
- SMBFileAttributes FileAttribute;
- //# seconds since 00:00:00 on January 1, 1970 (UTC)
- UINT32 LastWriteTime;
- UINT16 Reserved[5];
- UINT16 ByteCount;
- //# Buffer format is always 4.
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- switch(SMBUnicode)
- {
- case 0:
- _struct AsciiFileName
- {
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- AsciiString FileName;
- }
- case 1:
- _struct UnicodeFileName
- {
- ALIGN2 Align;
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- UnicodeString FileName;
- }
- }
- }
-
- struct SMBComSetInformationResp
- {
- [
- conversation.SMBFileNamePerFrame$[FrameNumber] = conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Property.SMBFileName = conversation.SMBFileNamePerFrame$[FrameNumber],
- Post.SMBComPramSummary = FormatString(", FileName = %s", Property.SMBFileName),
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID)
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComReadRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x05");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 CountOfBytesToRead;
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %u bytes at Offset %u", CountOfBytesToRead, ReadOffsetInBytes)]
- [conversation.SmbFileOffsetConv]
- UINT32 ReadOffsetInBytes;
- UINT16 EstimateOfRemainingBytesToBeRead;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComReadResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- [conversation.SmbFileOffsetMVS$[Framenumber] = conversation.SmbFileOffsetConv]
- [property.SMBFileOffset = conversation.SmbFileOffsetMVS$[Framenumber]]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x05");
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %d bytes", CountOfBytesReturned)]
- UINT16 CountOfBytesReturned;
- BLOB(8) Reserved;
- UINT16 ByteCount;
- //always be 1 "data blob"
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- [property.SmbFileFragmentLen]
- UINT16 CountOfBytesRead;
-
- [Local.SMBFileNameRemain = Property.SMBFileName]
- [MaxLoopCount = 200]
- while [Local.SMBFileNameRemain.ContainsBin(2, "5C")]
- {
- [Local.SMBFileNameRemain = UnicodeString(Local.SMBFileNameRemain, 2)]
- struct{};
- }
- switch
- {
- case contains(Property.SMBFileName, "\\ci_skads"):
- CIS CIS;
- case Local.SMBFileNameRemain.containsBin(2, "2E")://It's not pipe data when include "." in the file name
- switch
- {
- case conversation.Parent.SmbIsNotPipe$[property.SMBTID] || IsValueNone(conversation.Parent.SmbIsNotPipe$[property.SMBTID]):
- [
- PayloadStart(
- NetworkDirection, /* direction */
- 0, /* id */
- property.SMBFileOffset, /* sequence token */
- property.SMBFileOffset + property.SmbFileFragmentLen, /* next sequence token */
- 0, /* total payload length */
- Property.IsMoreThanOneSMBOverTcp ? 1 : property.SMBFileOffset == 0, /* is first */
- Property.IsMoreThanOneSMBOverTcp ? 1 : 0, /* is last */
- RssmblyIndStartBit + RssmblyIndEndBit + RssmblySequenceBit,
- 0x0000,
- 0,
- 0x0000,
- Property.SMBFileName
- )
- ]
- [DataFieldFrameLength = FrameOffset + property.SmbFileFragmentLen]
- switch
- {
- case property.SMBFileOffset == 0:
- FileTypeContent FileTypeContent;
- default:
- blob(FrameLength - FrameOffset) ContinualData;
- }
- default:
- BLOB(Property.SmbFileFragmentLen) Payload;
- }
- default:
- BLOB(Property.SmbFileFragmentLen) PipePayload;
- }
- }
-
- struct SMBComWriteRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x05");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 CountOfBytesToWrite;
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %u bytes at Offset %u", CountOfBytesToWrite, WriteOffsetInBytes)]
- UINT32 WriteOffsetInBytes;
- UINT16 EstimateOfRemainingBytesToBeWritten;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- UINT16 DataLength;
- switch
- {
- case DataLength > 0:
- BLOB(DataLength) Data;
- }
- }
-
- struct SMBComWriteResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %d bytes", CountOfBytesWritten)]
- UINT16 CountOfBytesWritten;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComLockByteRangeRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x05");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- //#? Reversed
- UINT32 CountOfBytesToLock;
- //#? Reversed
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %u bytes at Offset %u", CountOfBytesToLock, LockOffsetInBytes)]
- UINT32 LockOffsetInBytes;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- //#maybe NOT finished
- }
-
- struct SMBComLockByteRangeResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComCreateNewRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x03");
- //#? Incomplete
- SMBFileAttributes FileAttribute;
- //#? Incomplete
- UNIXTIMESTAMP FileCreationTime;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- switch(SMBUnicode)
- {
- case 0:
- _struct AsciiFileName
- {
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- AsciiString FileName;
- }
- case 1:
- _struct UnicodeFileName
- {
- ALIGN2 Align;
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- UnicodeString FileName;
- }
- }
- }
-
- struct SMBComCreateNewResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- conversation.SMBFileNamePerFrame$[FrameNumber] = conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Property.SMBFileName = conversation.SMBFileNamePerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCount$[SMBFileID] = conversation.SMBFileIDCount$[SMBFileID] + 1,
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComProcessExitRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComProcessExitResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComQueryInformationDiskRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComQueryInformationDiskResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x05");
- UINT16 TotalUnits;
- UINT16 BlocksPerUnit;
- UINT16 BlockSize;
- UINT16 FreeUnits;
- UINT16 Reserved;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- //# SMBPUB.DOC page 43 SEARCH: Search Directory
- struct SMBComSearchRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x02");
- UINT16 MaxCount;
- //#? Incomplete
- SMBFileAttributes SearchAttribute;
- UINT16 ByteCount;
- //0x04 -- ASCII
- UINT8 BufferFormat1 = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = ", Filename = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) FileName;
- //0x05 -- Variable block
- UINT8 BufferFormat2 = SMBBufferStringFormatsTable(this);
- UINT16 ResumeKeyLength;
- switch
- {
- case ResumeKeyLength > 0:
- SMBResumeKey ResumeKey;
- }
- }
-
- //# SMBPUB.DOC page 43 SEARCH: Search Directory
- struct SMBComSearchResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- [Post.SMBComPramSummary = FormatString(", FindCount = %d", FindCount)]
- UINT16 FindCount;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- UINT16 DataLength;
- while[FrameOffset < FrameLength]
- {
- SMBDirectoryInformation DirectoryInformation;
- }
- }
-
- struct SMBComOpenPrintFileRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x02");
- UINT16 SetupLength;
- UINT16 Mode = SMBPrintFileMode(this);
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- switch(SMBUnicode)
- {
- case 0:
- _struct AsciiIDstring
- {
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- AsciiString IdentifierString;
- }
- case 1:
- _struct UnicodeIDstring
- {
- ALIGN2 Align;
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- UnicodeString IdentifierString;
- }
- }
- }
-
- struct SMBComOpenPrintFileResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- conversation.SMBFileNamePerFrame$[FrameNumber] = conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Property.SMBFileName = conversation.SMBFileNamePerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCount$[SMBFileID] = conversation.SMBFileIDCount$[SMBFileID] + 1,
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComWriteRequestPrintFileRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- UINT16 DataLength;
- BLOB(DataLength > FrameLength - FrameOffset ? FrameLength - FrameOffset : DataLength) FileData;
- }
-
- struct SMBComWritePrintFileResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComClosePrintFileRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComClosePrintFileResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount), Disconnected),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComGetPrintQueueRequest
- {
- UINT8 WordCount;
- UINT16 MaxCount;
- UINT16 StartIndex;
- UINT16 ByteCount;
- }
-
- struct SMBComGetPrintQueueResp
- {
- UINT8 WordCount;
- UINT16 Count;
- UINT16 RestartIndex;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- [PrintQueueInfoEndOffset = FrameOffset + DataLength]
- UINT16 DataLength;
- while PrintQueueEntries[FrameOffset < PrintQueueInfoEndOffset]
- {
- struct PrintQueueInfo = this.SpoolFileName.ToString
- {
- SMBDATE PrintQueueDate;
- SMBTIME PrintQueueTime;
- UINT8 Status = SMBPrintJobStatusTable(this);
- UINT16 SpoolFileNumber;
- UINT32 SpoolFileSize;
- UINT8 Reserved;
- //UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- SMBFileNameString(SMBUnicode, TRUE, 16, ProtocolOffset) SpoolFileName;
- }
- }
- switch
- {
- case FrameOffset < PrintQueueInfoEndOffset:
- BLOB(PrintQueueInfoEndOffset - FrameOffset) LeftData;
- }
- }
-
- struct SMBComSendSingleMessageRequest
- {
- UINT8 WordCount;
- UINT16 ByteCount;
- UINT8 BufferFormat1 = SMBBufferStringFormatsTable(this);
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) OriginatorName;
- UINT8 BufferFormat2 = SMBBufferStringFormatsTable(this);
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) DestinationName;
- UINT8 BufferFormat3 = SMBBufferStringFormatsTable(this);
- UINT16 DataLength;
- AsciiString(DataLength) Message;
- }
-
- struct SMBComSendSingleMessageResp
- {
- UINT8 WordCount;
- UINT16 ByteCount;
- //UINT8 Buffer;
- }
-
- // This message is broadcast and there is no response to this message.
- struct SMBComSendBroadcastMessageRequest
- {
- UINT8 WordCount;
- UINT16 ByteCount;
- UINT8 BufferFormat1 = SMBBufferStringFormatsTable(this);
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) OriginatorName;
- UINT8 BufferFormat2 = SMBBufferStringFormatsTable(this);
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) DestinationName;
- UINT8 BufferFormat3 = SMBBufferStringFormatsTable(this);
- UINT16 DataLength;
- AsciiString(DataLength) Message;
- }
-
- struct SMBComForwardUserNameRequest
- {
- UINT8 WordCount;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) ForwardedName;
- }
-
- struct SMBComForwardUserNameResp
- {
- UINT8 WordCount;
- UINT16 ByteCount;
- UINT8 Buffer;
- }
-
- struct SMBComCancelForwardRequest
- {
- UINT8 WordCount;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) ForwardedName;
- }
-
- struct SMBComCancelForwardResp
- {
- UINT8 WordCount;
- UINT16 ByteCount;
- UINT8 Buffer;
- }
-
- struct SMBComGetMachineNameRequest
- {
- UINT8 WordCount;
- UINT16 ByteCount;
- UINT8 Buffer;
- }
-
- struct SMBComGetMachineNameResp
- {
- UINT8 WordCount;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = ", MachineName = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) MachineName;
- }
-
- struct SMBComSendStartOfMultiBlockMessageRequest
- {
- UINT8 WordCount;
- UINT16 ByteCount;
- UINT8 BufferFormat1 = SMBBufferStringFormatsTable(this);
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) OriginatorName;
- UINT8 BufferFormat2 = SMBBufferStringFormatsTable(this);
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) DestinationName;
- }
-
- struct SMBComSendStartOfMultiBlockMessageResp
- {
- UINT8 WordCount;
- UINT16 MessageGroupId;
- UINT16 ByteCount;
- //UINT8 Buffer;
- }
-
- struct SMBComSendEndOfMultiBlockMessageRequest
- {
- UINT8 WordCount;
- UINT16 MessageGroupId;
- UINT16 ByteCount;
- //UINT8 Buffer;
- }
-
- struct SMBComSendEndOfMultiBlockMessageResp
- {
- UINT8 WordCount;
- UINT16 ByteCount;
- //UINT8 Buffer;
- }
-
- struct SMBComSendTextOfMultiBlockMessageRequest
- {
- UINT8 WordCount;
- UINT16 MessageGroupId;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- UINT16 DataLength;
- AsciiString(DataLength) Message;
- }
-
- struct SMBComSendTextOfMultiBlockMessageResp
- {
- UINT8 WordCount;
- UINT16 ByteCount;
- //UINT8 Buffer;
- }
-
- struct SMBComDeleteDirectoryRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = ", Dir = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) DirectoryName;
- }
-
- struct SMBComDeleteDirectoryResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComCloseRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x03");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " , FileName=" + Property.SMBFileName + " " : "")
- ]
- UINT16 FileID;
- UINT32 LastTimeModified;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComCloseResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount), Disconnected),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " , FileName=" + Property.SMBFileName + " " : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComFlushRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComFlushResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComDeleteRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- SMBFileAttributes SearchAttribute;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = ", File = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) FileName;
- }
-
- struct SMBComDeleteResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComRenameRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- SMBFileAttributes SearchAttributes;
- UINT16 ByteCount;
- //BLOB( ByteCount ) ByteParamenters;
- //Buffer format contains value 0x04.
- UINT8 BufferFormat1 = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = ", " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) OldFileName;
- UINT8 BufferFormat2 = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = SMBComPramSummary + " To " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) NewFileName;
- }
-
- struct SMBComRenameResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComCreateTemporaryRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x03");
- SMBFileAttributes SearchAttributes;
- UNIXTIMESTAMP CreationTime;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- switch(SMBUnicode)
- {
- case 0:
- _struct AsciiFileName
- {
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", Dir = " + this
- ]
- AsciiString DirectoryName;
- }
- case 1:
- _struct UnicodeFileName
- {
- ALIGN2 Align;
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", Dir = " + this
- ]
- UnicodeString DirectoryName;
- }
- }
- }
-
- struct SMBComCreateTemporaryResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x02");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- conversation.SMBFileNamePerFrame$[FrameNumber] = conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Property.SMBFileName = conversation.SMBFileNamePerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCount$[SMBFileID] = conversation.SMBFileIDCount$[SMBFileID] + 1,
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = ", File = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) FileName;
- }
-
- struct SMBComCheckDirectoryRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = ", Dir = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) DirectoryName;
- }
-
- struct SMBComCheckDirectoryResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- Table SMBFileSeekModeTable(mode)
- {
- switch(mode)
- {
- case 0: FormatString("From Start Of File, %d(0x%X)", mode, mode);
- case 1: FormatString("From Current Position, %d(0x%X)", mode, mode);
- case 2: FormatString("From End Of File, %d(0x%X)", mode, mode);
- default: FormatString("Unknown seek mode %d(0x%X)", mode, mode);
- }
- }
-
- struct SMBComSeekRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x04");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 SeekMode = SMBFileSeekModeTable(this);
- UINT32 Offset;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- };
-
- struct SMBComSeekResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x02");
- UINT32 Offset;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBLockRange = FormatString("PID: %u, %s at Offset %u of Length %u", Pid, SMBIsLock?"Lock":"Unlock", FileOffset, Length)
- {
- UINT16 Pid;
- UINT32 FileOffset;
- UINT32 Length;
- }
-
- struct SMBLargeLockRange = FormatString("PID: %u, %s at Offset %s of Length %s",
- Pid,
- SMBIsLock?"Lock":"Unlock",
- SMBFormatNumber("%u", SMBIsLargeLockOffset, SMBLockOffset),
- SMBFormatNumber("%u", SMBIsLargeLength, SMBLockLength))
- {
- UINT16 Pid;
- UINT16 Padding;
- [SMBIsLargeLockOffset = this <> 0xFFFFFFFF && this > 0]
- UINT32 OffsetHigh;
- [SMBLockOffset = (OffsetHigh <> 0xFFFFFFFF) ? (OffsetLow + OffsetHigh * 4294967296) : OffsetLow]
- UINT32 OffsetLow;
- [SMBIsLargeLength = this <> 0xFFFFFFFF && this > 0]
- UINT32 LengthHigh;
- [SMBLockLength = (OffsetHigh <> 0xFFFFFFFF) ? (LengthLow + LengthHigh * 4294967296) : LengthLow]
- UINT32 LengthLow;
- }
-
- Table SMBLockingAndXTimeout(timeout)
- {
- switch(timeout)
- {
- case 0x00000000: "Fail if a specified byte range is already locked";
- case 0xFFFFFFFF: "Wait for each byte range become unlocked";
- default: FormatString("Maximum wait for %d Milliseconds",timeout);
- }
- }
-
- Table SMBNewFileLockingLevelTable(value)
- {
- switch(value)
- {
- case 0: "The client will not own an Oplock";
- case 1: "The client will own a Level II Oplock";
- default: "Unknown Level";
- }
- }
-
- struct SMBComLockingAndXRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x08");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- [DataFieldByteOrder = LittleEndian]
- UINT8 TypeOfLock
- {
- UINT8 Shared:1 = FormatString(" (%s) %s lock", this.ToBitString, this ? "Read-only" : "Exclusive");
- UINT8 OpLock:1 = FormatString(" (%s) %s of dynamic lock break", this.ToBitString, this ? "Notification" : "No notification");
- UINT8 Change:1 = FormatString(" (%s) %s lock type", this.ToBitString, this ? "Change" : "Do NOT change");
- UINT8 Cancel:1 = FormatString(" (%s) %s outstanding lock request", this.ToBitString, this ? "Cancel" : "Do NOT cancel");
- UINT8 LargeFile:1 = FormatString("(%s) Large file Locking format %s", this.ToBitString, this ? "requested" : "NOT requested");
- UINT8 Reserved:3 = FormatString(" (%s) Reserved", this.ToBitString);
- };
- UINT8 NewOpLockLevel = SMBNewFileLockingLevelTable(this);
- UINT32 TimeOut = SMBLockingAndXTimeout(this);
- UINT16 NumberOfRequestedUnlocks;
- UINT16 NumberOfRequestedLocks;
- UINT16 ByteCount;
- [SMBIsLock = FALSE]
- switch
- {
- case TypeOfLock.LargeFile:
- SMBLargeLockRange LargeUnlock[NumberOfRequestedUnlocks];
- default:
- SMBLockRange Unlock[NumberOfRequestedUnlocks];
- }
- [SMBIsLock = TRUE]
- switch
- {
- case TypeOfLock.LargeFile:
- SMBLargeLockRange LargeLock[NumberOfRequestedLocks];
- default:
- SMBLockRange Lock[NumberOfRequestedLocks];
- }
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SMBComLockingAndXResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x02");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SMBComIOCTLPrimaryRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x0E");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 Category;
- UINT16 Function;
- UINT16 TotalParameterCount;
- UINT16 TotalDataCount;
- UINT16 MaxParameterCount;
- UINT16 MaxDataCount;
- UINT32 TimeOut = FormatString("%d milli sec(s)",this);
- UINT16 Reserved;
- UINT16 ParameterCount;
- UINT16 ParameterOffset;
- UINT16 DataCount;
- UINT16 DataOffset;
- UINT16 ByteCount;
- switch
- {
- case CurrentProtocolOffset < ParameterOffset:
- BLOB(ParameterOffset - CurrentProtocolOffset) Pad1;
- }
- switch
- {
- case ParameterCount > 0:
- BLOB(ParameterCount) Parameters;
- }
- switch
- {
- case CurrentProtocolOffset < DataOffset:
- BLOB(DataOffset - CurrentProtocolOffset) Pad2;
- }
- switch
- {
- case DataCount > 0:
- BLOB(DataCount) Data;
- }
- }
-
- struct SMBComIOCTLSecondaryRequest
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount;
- UINT16 TotalParameterCount;
- UINT16 TotalDataCount;
- UINT16 ParameterCount;
- UINT16 ParameterOffset;
- UINT16 ParameterDisplacement;
- UINT16 DataCount;
- UINT16 DataOffset;
- UINT16 DataDisplacement;
- UINT16 ByteCount;
- BLOB(ByteCount) Buffer;
- }
-
- [Property.SMBInterimResponse = true]
- struct SMBComInterimResponseIOCTL
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount;
- UINT16 ByteCount;
- }
-
- struct SMBComIOCTLResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x08");
- UINT16 TotalParameterCount;
- UINT16 TotalDataCount;
- UINT16 ParameterCount;
- UINT16 ParameterOffset;
- UINT16 ParameterDisplacement = ShouldBeSetToTable( this, "0x0000");
- UINT16 DataCount;
- UINT16 DataOffset;
- UINT16 DataDisplacement = ShouldBeSetToTable( this, "0x0000");
- UINT16 ByteCount;
- switch
- {
- case CurrentProtocolOffset < ParameterOffset:
- BLOB(ParameterOffset - CurrentProtocolOffset) Pad1;
- }
- switch
- {
- case ParameterCount > 0:
- BLOB(ParameterCount) Parameters;
- }
- switch
- {
- case CurrentProtocolOffset < DataOffset:
- BLOB(DataOffset - CurrentProtocolOffset) Pad2;
- }
- switch
- {
- case DataCount > 0:
- BLOB(DataCount) Data;
- }
- }
-
- struct SMBComCopyRequest
- {
- UINT8 WordCount ;
- UINT16 Tid2;
- SMBOpenFunction OpenFunction;
- [DataFieldByteOrder = LittleEndian]
- UINT16 Flags
- {
- UINT16 TargetFile:1 = FormatString(" (%s) Target %s be a file", this.ToBitString, this ? "must" : "is NOT required to be");
- UINT16 TargetDirectory:1 = FormatString(" (%s) Target %s be a directory", this.ToBitString, this ? "must" : "is NOT required to be");
- UINT16 TargetMode:1 = FormatString(" (%s) %s copy target mode", this.ToBitString, this ? "ASCII" : "Binary");
- UINT16 SourceMode:1 = FormatString(" (%s) %s copy source mode", this.ToBitString, this ? "ASCII" : "Binary");
- UINT16 WriteOptVerification:1 = FormatString("(%s) %s write operations", this.ToBitString, this ? "Verify" : "Do NOT verify");
- UINT16 TreeCopy:1 = FormatString(" (%s) %s copy", this.ToBitString, this ? "Tree" : "NOT a tree");
- UINT16 Reserved_bits6_15:10 = FormatString(" (%s) Reserved", this.ToBitString);
- };
- UINT16 ByteCount;
- //UINT8 SourceFileNameFormat = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = ", " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) SourceFileName;
- // skipping Null to end the SMB frame
- while [!UINT8( Framedata, Offset )]
- {
- UINT8 skip_NULL;
- };
- //UINT8 TargetFileNameFormat = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = SMBComPramSummary + " To " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) TargetFileName;
- }
-
- struct SMBComCopyResp
- {
- UINT8 WordCount;
- UINT16 Count;
- UINT16 ByteCount;
- // These fields exist only when an error has occurred
- switch
- {
- case ByteCount > 0:
- switch(WordCount)
- {
- case 0: // Window implement different from CIFS
- [Post.SMBComPramSummary = SMBComPramSummary + ", ErrorFile = " + ErrorFileName]
- UnicodeString ErrorFileName;
- case 1:
- _struct ErrorFile
- {
- UINT8 ErrorFileFormat = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = SMBComPramSummary + ", ErrorFile = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) ErrorFileName;
- }
- }
- }
- }
-
- Table SMBMoveOpenFunctionTable(value)
- {
- switch
- {
- case (value & 0x30) == 0x00: "Operation failure";
- case (value & 0x30) == 0x20: "Overwrite target file";
- default: "Undefined";
- }
- }
-
- struct SMBComMoveRequest
- {
- UINT8 WordCount;
- UINT16 Tid2;
- UINT16 OpenFunction = FormatString("%s, %d(%#x)", SMBMoveOpenFunctionTable(this), this, this);
- [DataFieldByteOrder = LittleEndian]
- UINT16 Flags
- {
- UINT16 TargetFile:1 = FormatString(" (%s) Target %s be a file", this.ToBitString, this ? "must" : "is NOT required to be");
- UINT16 TargetDirectory:1 = FormatString(" (%s) Target %s be a directory", this.ToBitString, this ? "must" : "is NOT required to be");
- UINT16 Reserved_bits2_3:2 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT16 WriteOptVerification:1 = FormatString("(%s) %s write operations", this.ToBitString, this ? "Verify" : "Do NOT verify");
- UINT16 Reserved_bits5_15:11 = FormatString(" (%s) Reserved", this.ToBitString);
- };
- UINT16 ByteCount;
- // reference CIFS-TR-1p00-FINAL.pdf , page 92
- //UINT8 FormatOld;
- [Post.SMBComPramSummary = ", " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) OldFilename;
- // skipping Null to end the SMB frame
- while [ !UINT8( Framedata, Offset )]
- {
- UINT8 skip_NULL;
- };
- // reference CIFS-TR-1p00-FINAL.pdf , page 92
- //UINT8 FormatNew;
- [Post.SMBComPramSummary = SMBComPramSummary + " To " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) NewFilename;
- }
-
- struct SMBComMoveResp
- {
- UINT8 WordCount;
- UINT16 Count;
- UINT16 ByteCount;
- // These fields exist only when an error has occurred
- switch
- {
- case ByteCount > 0:
- switch(WordCount)
- {
- case 0: // Window implement different from CIFS
- [Post.SMBComPramSummary = SMBComPramSummary + ", ErrorFile = " + ErrorFileName]
- UnicodeString ErrorFileName;
- case 1:
- _struct ErrorFile
- {
- UINT8 ErrorFileFormat = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = SMBComPramSummary + ", ErrorFile = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) ErrorFileName;
- }
- }
- }
- }
-
- struct SMBComEchoRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- UINT16 Echocount;
- UINT16 ByteCount;
- BLOB( ByteCount) Buffer;
- }
-
- struct SMBComEchoResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- UINT16 SequenceNumber;
- UINT16 ByteCount;
- BLOB( ByteCount) Buffer;
- }
-
- struct SMBResumeKey
- {
- [DataFieldByteOrder = LittleEndian]
- UINT8 Reserved
- {
- UINT8 Client:7 = FormatString("(%s) Reserved for use by client", this.ToBitString);
- UINT8 Server:1 = FormatString("(%s) Reserved for use by server", this.ToBitString);
- };
- AsciiString(11) FileName;
- BLOB(5) ReservedForServer;
- BLOB(4) ReservedForConsumer;
- }
-
- struct SMBComFindRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x02");
- UINT16 MaxCount;
- SMBFileAttributes SearchAttributes;
- UINT16 ByteCount;
- UINT8 BufferFormat1 = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = ", File = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) FileName;
- UINT8 BufferFormat2 = SMBBufferStringFormatsTable(this);
- UINT16 ResumeKeyLength;
- SMBResumeKey ResumeKey;
- }
-
- struct SMBComFindResp
- {
- //This value must be 1.
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- UINT16 Count;
- UINT16 ByteCount;
- //This value must be "0x05".
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- [SMBFindEndOffset = FrameOffset + 2 + this]
- UINT16 DataLength;
- While DirectoryInformationData[frameOffset < SMBFindEndOffset]
- {
- SMBDirectoryInformation DirectoryInformation;
- }
- }
-
- struct SMBComFindUniqueRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x02");
- UINT16 MaxCount;
- SMBFileAttributes SearchAttributes;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = ", File = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) FileName;
- UINT8 BufferFormat2 = SMBBufferStringFormatsTable(this);
- UINT16 ResumeKeyLength = MUSTBeSetToTable( this, "0x0000");
- switch
- {
- case ResumeKeyLength > 0:
- SMBResumeKey ResumeKey;
- }
- }
-
- struct SMBDirectoryInformation = FormatString("%s %s %s %d %s",
- LastWriteDate.ToString,
- LastWriteTime.ToString,
- FileAttributes.Directory ? "<Dir> " : "<File>", /* FILE_ATTRIBUTE_DIRECTORY */
- FileSize,
- FileName)
- {
- SMBResumeKey ResumeKey;
- SMBFileBYTEAttributes FileAttributes;
- SMBTIME LastWriteTime;
- SMBDATE LastWriteDate;
- UINT32 FileSize;
- AsciiString(13) FileName;
- }
-
- struct SMBComFindUniqueResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- UINT16 Count;
- UINT16 ByteCount;
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- [SMBFindUniqueEndOffset = FrameOffset + 2 + this]
- UINT16 DataLength;
- while[FrameOffset < SMBFindUniqueEndOffset]
- {
- SMBDirectoryInformation DirectoryInformation;
- }
- }
-
- struct SMBComFindCloseRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x02");
- UINT16 MaxCount;
- UINT16 SearchAttributes;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x001A");
- UINT8 BufferFormat1 = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = SMBFileNameValue ? ", File = " + SMBFileNameValue : ""]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) FileName;
- UINT8 BufferFormat2 = SMBBufferStringFormatsTable(this);
- UINT16 ResumeKeyLength;
- SMBResumeKey ResumeKey = MUSTBeSetToTable( this, "0x0015");
- }
-
- struct SMBComFindCloseResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- UINT16 Count;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x03"); // min = 3
- switch
- {
- case FrameOffset < FrameLength:
- // Even ByteCount = 3, this buffer may not exist
- _struct Buffer
- {
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- UINT16 DataLength;
- BLOB(DataLength) Data;
- }
- }
- }
-
- //
- //SNIA Technical Proposal, Revision 1.0, page 70, 4.2.4. READ_ANDX: Read Bytes
- //
- struct SMBComReadRequestAndXRequest
- {
- UINT8 WordCount;
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 ANDXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- [property.SMBFileOffset]
- UINT32 FileOffset;
- UINT16 MaxCountOfBytesToReturn;
- UINT16 MinCountOfBytesToReturn;
- [
- SMBIsLargeMaxCount = this <> 0xFFFFFFFF && this > 65535,
- SMBMaxCount = (this <> 0xFFFFFFFF) ? (this * 65536 + MaxCountOfBytesToReturn) : MaxCountOfBytesToReturn
- ]
- UINT32 TimeoutOrMaxCountHigh;
- UINT16 Remaining;
- switch(WordCount)
- {
- case 12:
- [
- SMBIsLargeFileOffset = this <> 0xFFFFFFFF && this > 0,
- SMBFileOffset = (this <> 0xFFFFFFFF) ? (SMBFileOffset + this * 4294967296) : SMBFileOffset
- ]
- UINT32 OffsetHigh;
- };
- [conversation.SmbFileOffsetConv = SMBFileOffset]
- [SMBComPramSummary = SMBComPramSummary + ", "
- + SMBFormatNumber("%u", SMBIsLargeMaxCount, SMBMaxCount)
- + " bytes at Offset "
- + SMBFormatNumber("%u", SMBIsLargeFileOffset, SMBFileOffset)
- ]
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SMBComReadAndXResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- [conversation.SmbFileOffsetMVS$[Framenumber] = conversation.SmbFileOffsetConv]
- [property.SMBFileOffset = conversation.SmbFileOffsetMVS$[Framenumber]]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x0C");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 ANDXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- UINT16 Available;
- UINT16 DataCompactionMode;
- UINT16 Reserved1;
- UINT16 DataLength;
- UINT16 DataOffset;
- [Property.SMBDataLength = this * 65536 + DataLength]
- [post.property.SmbFileFragmentLen = Property.SMBDataLength]
- UINT16 DataLengthHigh;
- [SMBComPramSummary = SMBComPramSummary + FormatString(", %u bytes", Property.SMBDataLength)]
- BLOB(8) Reserved2;
- UINT16 ByteCount;
- switch
- {
- case DataOffset > CurrentProtocolOffset:
- BLOB(DataOffset - CurrentProtocolOffset) Padding;
- }
- Switch
- {
- case UINT8( Framedata, Offset ) == 0x05 &&
- ( UINT8( Framedata, Offset + 1 ) == 0 || UINT8( Framedata, Offset + 1 ) == 1 ) &&
- ( FrameLength - FrameOffset >= 16 ) &&
- ( UINT8( Framedata, Offset + 2 ) == 0 ||
- UINT8( Framedata, Offset + 2 ) == 2 ||
- UINT8( Framedata, Offset + 2 ) == 3 ||
- ( UINT8( Framedata, Offset + 2 ) >= 11 &&
- UINT8( Framedata, Offset + 2 ) <= 19 )) &&
- ( UINT8( Framedata, Offset + 4 ) & 0xEE ) == 0 &&
- UINT8( Framedata, Offset + 5 ) < 4 &&
- UINT8( Framedata, Offset + 6 ) == 0 &&
- UINT8( Framedata, Offset + 7 ) == 0 :
- MSRPC MSRPC;
- default:
- switch
- {
- case !(ConvID > 0):
- _struct ReportWarning
- {
- ReportParserWarning( "SMB", "May not parse correctly when conversation off") ParserWarning;
- BLOB( (Property.SMBDataLength < FrameLength - FrameOffset) ? Property.SMBDataLength : (FrameLength - FrameOffset)) Buffer;
- };
- default:
- struct
- {
- [Local.SMBFileNameRemain = Property.SMBFileName]
- [MaxLoopCount = 200]
- while [Local.SMBFileNameRemain.ContainsBin(2, "5C")]
- {
- [Local.SMBFileNameRemain = UnicodeString(Local.SMBFileNameRemain, 2)]
- struct{};
- }
- switch
- {
- case Local.SMBFileNameRemain.containsBin(2, "2E")://It's not pipe data when include "." in the file name
- switch
- {
- case conversation.Parent.SmbIsNotPipe$[property.SMBTID] || IsValueNone(conversation.Parent.SmbIsNotPipe$[property.SMBTID]):
- [
- PayloadStart(
- NetworkDirection, /* direction */
- 0, /* id */
- property.SMBFileOffset, /* sequence token */
- property.SMBFileOffset + property.SmbFileFragmentLen, /* next sequence token */
- 0, /* total payload length */
- Property.IsMoreThanOneSMBOverTcp ? 1 : property.SMBFileOffset == 0, /* is first */
- Property.IsMoreThanOneSMBOverTcp ? 1 : 0, /* is last */
- RssmblyIndStartBit + RssmblyIndEndBit + RssmblySequenceBit,
- 0x0000,
- 0,
- 0x0000,
- Property.SMBFileName
- )
- ]
- [DataFieldFrameLength = FrameOffset + property.SmbFileFragmentLen]
- switch
- {
- case property.SMBFileOffset == 0:
- FileTypeContent FileTypeContent;
- default:
- blob(FrameLength - FrameOffset) ContinualData;
- }
- default:
- BLOB(Property.SmbFileFragmentLen) Payload;
- }
- default:
- [PayloadStart(
- NetworkDirection, /* direction */
- Property.SMBFileID, //identifier
- 0, //sequence token
- 0, //next sequence
- 0, //total payload length
- 0, //is first
- 0, //is last
- RssmblyIndStartBit+RssmblyIndLengthBit, //has start and end indication
- 0x0000, /* Properties... */
- SMBResponse,
- 0x0000,
- ""
- )
- ]
- switch
- {
- case contains(Property.SMBFileName, "\\ci_skads"):
- CIS CIS;
- default:
- BLOB(Property.SmbFileFragmentLen) PipePayload;
- }
- }
- }
- };
- }
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SMBComCloseAndTreeDisconnectedRequest
- {
- UINT8 WordCount;
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- TIMESTAMP LastWriteTime;
- UINT16 ByteCount;
- }
-
- struct SMBComCloseAndTreeDisconnectedResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount), Disconnected),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount ;
- UINT16 ByteCount;
- }
-
- struct SMBComFindClose2Request
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComFindClose2Resp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount), Disconnected),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComFindNotifyCloseRequest
- {
- UINT8 WordCount;
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 ByteCount;
- }
-
- struct SMBComFindNotifyCloseResp
- {
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount), Disconnected),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT8 WORDCount;
- UINT16 ByteCount;
- }
-
- struct SMBComTreeDisconnectRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComTreeDisconnectResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- struct SMBComNegotiateRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- [SMBNegotiateEndOffset = frameOffset + 2 + this]
- UINT16 ByteCount;
- //
- // Here, the dialect Names are always transmitted as ASCII String
- //
- [DialectCount = 0]
- while Dialects [( frameOffset < SMBNegotiateEndOffset) && UINT8( Framedata, Offset ) == 0x02]
- {
- struct Dialect = DialectName
- {
- UINT8 BufferFormat = SMBBufferStringFormatsTable(this);
- [
- Post.SMBComPramSummary = (DialectCount == 0) ? ", Dialect = " + DialectName : SMBComPramSummary + ", " + DialectName,
- conversation.SMBDialectTable$[DialectCount],
- Post.DialectCount = DialectCount + 1
- ]
- AsciiString DialectName;
- };
- }
- }
-
- struct SMBComNegotiateDialectUnknownResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x01");
- [Post.SMBComPramSummary = FormatString(", Dialect is %s (#%d)", conversation.SMBDialectTable$[DialectIndex], DialectIndex)]
- UINT16 DialectIndex;
- UINT16 ByteCount;
- switch
- {
- case ByteCount > 0:
- BLOB(ByteCount) BytePrameters;
- }
- }
-
- // http://www.cifs.org/mediawiki/images/b/b9/1992-02-29-SMB-LM21.pdf
- struct SmbComNegotiateResponseLM21
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x0D");
- [Post.SMBComPramSummary = FormatString(", Dialect is %s (#%d)", conversation.SMBDialectTable$[DialectIndex], DialectIndex)]
- UINT16 DialectIndex;
- UINT16 SecurityMode;
- UINT16 MaxXmt;
- UINT16 MaxMux;
- UINT16 MaxVcs;
- UINT16 BlkMode;
- UINT32 SessionKey;
- SMBTIME ServerTime;
- SMBDATE ServerDate;
- INT16 ServerTimeZone;
- UINT16 CryptKeyLength;
- UINT16 Reserved;
- UINT16 ByteCount;
- Blob(CryptKeyLength) CryptKey;
- SMBFileNameString(SMBUnicode, FALSE, 0, FrameOffset) DomainName;
- }
-
- struct SmbComNegotiateResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x11");
- [Post.SMBComPramSummary = FormatString(", Dialect is %s (#%d)", conversation.SMBDialectTable$[DialectIndex], DialectIndex)]
- UINT16 DialectIndex;
- [DataFieldByteOrder = LittleEndian]
- UINT8 SecurityMode
- {
- UINT8 UserSecurity:1 = FormatString(" (%s) %s", this.ToBitString, this ? "User Mode" : "Share Mode");
- UINT8 EncryptedPasswords:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Encrypted Passwords Required" : "Encrypted Passwords NOT Required");
- UINT8 SecuritySignaturesEnable:1 = FormatString(" (%s) Security signatures(SMB sequence numbers) %s", this.ToBitString, this ? "enabled" : "disabled");
- UINT8 SecuritySignaturesRequired:1 = FormatString("(%s) Security signatures(SMB sequence numbers) %s", this.ToBitString, this ? "required" : "NOT required");
- UINT8 Reserved_bits4_7:4 = FormatString(" (%s) %s", this.ToBitString, "Reserved");
- };
- UINT16 MaxMpxCount;
- UINT16 MaxNumberVcs;
- UINT32 MaxBufferSize;
- UINT32 MaxRawSize;
- UINT32 SessionKey;
- [DataFieldByteOrder = LittleEndian]
- UINT32 Capabilities
- {
- UINT32 Reserved_bits1_13:13 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT32 InfolevelPassthru:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports Windows NT information level pass-through requests [SMB_INFO_PASSTHROUGH]" : "No Support for Windows NT information level pass-through requests [SMB_INFO_PASSTHROUGH]") , "CAP_INFOLEVEL_PASSTHRU");
- UINT32 Reserved_bits15:1 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT32 LargeWritex:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports large write operations" : "No Support for large write operations") , "CAP_LARGE_WRITEX");
-
- UINT32 Lwio:1 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT32 Reserved_bit18_23:6 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT32 Unix:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports UNIX CIFS Extensions" : "No Support for UNIX CIFS Extensions") , "CAP_UNIX");
-
- UINT32 Reserved_bits24:1 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT32 CompressedData:1 = FormatString(" (%s) %s (%s)", this.ToBitString, (this ? "Supports compressed data transfer" : "No support for compressed data transfer"), "CAP_COMPRESSED_DATA [NOT implemented]");
- UINT32 Reserved_bits26_28:3 = FormatString("(%s) Reserved", this.ToBitString);
- UINT32 DynamicReauth:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports dynamic reauthorization" : "No Support for dynamic reauthorization") , "CAP_DYNAMIC_REAUTH");
- UINT32 Reserved_bits31:1 = FormatString(" (%s) Reserved", this.ToBitString);
- UINT32 ExtendedSecurity:1 = FormatString(" (%s) %s (%s)", this.ToBitString , (this ? "Supports extended security exchange" : "No Support for extended security exchange") , "CAP_EXTENDED_SECURITY");
- };
- FILETIME SystemTime;
- UINT16 SystemTimeZone = FormatString("%d Min From UTC", this);
- UINT8 ChallengeLength = MUSTBeSetToTable( this, "0x08");
- UINT16 ByteCount;
- [ SMBNegotiateBuffEndOffset = FrameOffset + ByteCount ]
- switch
- {
- case FrameOffset < SMBNegotiateBuffEndOffset:
- _struct AuthenticationData
- {
- Switch( Capabilities.ExtendedSecurity )
- {
- case 0:
- _struct ChallengeAuthData
- {
- Blob(ChallengeLength) Challenge;
- //Windows NT servers always send the DomainName field in Unicode characters and never add a padding byte for alignment.
- SMBFileNameString(SMBUnicode, FALSE, 0, FrameOffset) DomainName;
- switch
- {
- case FrameOffset < SMBNegotiateBuffEndOffset:
- UnicodeString((SMBNegotiateBuffEndOffset - FrameOffset) /2) ServerName;
- }
- }
- case 1:
- _struct GSSAPISpecificInformation
- {
- GUID(FALSE) ServerGUID;
- SMBSecurityBlob(FrameLength - FrameOffset) SecurityBlob;
- }
- }
- }
- }
- }
-
- // http://www.cifs.org/mediawiki/images/b/b9/1992-02-29-SMB-LM21.pdf
- struct SmbComSessionSetupAndxClientRequest
- {
- UINT8 WordCount = MUSTBeSetToTable(this, "0x0A");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- UINT16 MaxBufferSize;
- UINT16 MaxMpxCount;
- UINT16 VcNumber;
- UINT32 SessionKey;
- UINT16 AccountPasswordLength;
- UINT32 Reserved;
-
- [EndByteCountOffset = frameOffset + ByteCount + 2 ]
- UINT16 ByteCount;
- switch
- {
- case AccountPasswordLength > 0:
- BLOB(AccountPasswordLength) AccountPassword;
- }
- [DataFieldFrameLength = (ANDXOffset == 0) ? FrameLength : (ProtocolOffset + ANDXOffset)]
- switch
- {
- case CurrentProtocolOffset < ANDXOffset || ANDXOffset == 0:
- switch(Property.SMBUnicode)
- {
- case 1:
- _struct UnicodeParameters
- {
- ALIGN2 Align;
- [SMBComPramSummary = ", AccountName = " + this]
- UnicodeString AccountName;
- UnicodeString PrimaryDomain;
- UnicodeString NativeOS;
- While [CurrentProtocolOffset<ANDXOffset && UINT16(FrameData, FrameOffset) == 0x0000]
- {
- UINT16 NULL;
- }
- UnicodeString NativeLANMan;
- };
- case 0:
- _struct AsciiParameters
- {
- [SMBComPramSummary = ", AccountName = " + this]
- AsciiString AccountName;
- AsciiString PrimaryDomain;
- AsciiString NativeOS;
- While [CurrentProtocolOffset<ANDXOffset && UINT8(FrameData, FrameOffset) == 0x00]
- {
- UINT8 NULL;
- }
- AsciiString NativeLANMan;
- };
- }
- }
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SmbComSessionSetupAndxClientRequestExtension
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x0C");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- UINT16 MaxBufferSize;
- UINT16 MaxMpxCount;
- UINT16 VcNumber;
- UINT32 SessionKey;
- UINT16 SecurityBlobLength;
- UINT32 Reserved;
- UINT32 Capabilities;
- [EndByteCountOffset = frameOffset + ByteCount + 2 ]
- UINT16 ByteCount;
- SMBSecurityBlob(SecurityBlobLength) SecurityBlob;
- [DataFieldFrameLength = (ANDXOffset == 0) ? FrameLength : (ProtocolOffset + ANDXOffset)]
- switch
- {
- case CurrentProtocolOffset < ANDXOffset || ANDXOffset == 0:
- switch(Property.SMBUnicode)
- {
- case 1:
- _struct UnicodeParameters
- {
- ALIGN2 Align;
- UnicodeString NativeOS;
- While [CurrentProtocolOffset<ANDXOffset && UINT16(FrameData, FrameOffset) == 0x0000]
- {
- UINT16 NULL;
- }
- UnicodeString NativeLANMan;
- };
- case 0:
- _struct AsciiParameters
- {
- AsciiString NativeOS;
- While [CurrentProtocolOffset<ANDXOffset && UINT8(FrameData, FrameOffset) == 0x00]
- {
- UINT8 NULL;
- }
- AsciiString NativeLANMan;
- };
- }
- }
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- // http://www.cifs.org/mediawiki/images/b/b9/1992-02-29-SMB-LM21.pdf
- struct SmbComSessionSetupAndxServerResponse
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x03");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- [DataFieldByteOrder = LittleEndian]
- UINT16 Action = Guest ? " Logged in as Guest" : " Logged in as User"
- {
- UINT16 Guest:1 = FormatString("(%s) SMB_SETUP_GUEST: Logged on as %s",
- this.ToBitString,
- this ? "Guest" : "User");
- UINT16 LMKey:1 = FormatString("(%s) SMB_SETUP_USE_LANMAN_KEY: %s",
- this.ToBitString,
- this ? "Using the Lan Manager setup key" : "Using the User setup key");
- UINT16 Resvd:14 = FormatString("(%s) Reserved", this.ToBitString);
- };
- [EndByteCountOffset = frameOffset + ByteCount + 2 ]
- UINT16 ByteCount;
- [DataFieldFrameLength = (ANDXOffset == 0) ? FrameLength : (ProtocolOffset + ANDXOffset)]
- switch
- {
- case CurrentProtocolOffset < ANDXOffset || ANDXOffset == 0:
- switch(SMBUnicode)
- {
- case 1:
- _struct UnicodeParameters
- {
- ALIGN2 Align;
- UnicodeString NativeOS;
- UnicodeString NativeLANMan;
- While [CurrentProtocolOffset<ANDXOffset && UINT16(FrameData, FrameOffset) == 0x0000]
- {
- UINT16 NULL;
- }
- // NOT guaranteed to be properly NUL terminated
- switch
- {
- case ANDXOffset == 0 && (FrameLength-FrameOffset)/2 > 0:
- UnicodeStringTerm("\0x00", true) PrimaryDomainpad;
- case (ANDXOffset-CurrentProtocolOffset)/2 > 0:
- UnicodeString( (ANDXOffset-CurrentProtocolOffset)/2 ) PrimaryDomain;
- }
- };
- case 0:
- _struct AsciiParameters
- {
- AsciiString NativeOS;
- AsciiString NativeLANMan;
- While [CurrentProtocolOffset<ANDXOffset && UINT8(FrameData, FrameOffset) == 0x00]
- {
- UINT8 NULL;
- }
- // NOT guaranteed to be properly NUL terminated
- switch
- {
- case ANDXOffset == 0 && FrameOffset < FrameLength:
- AsciiStringTerm("\0x00", true) PrimaryDomainpad;
- case ANDXOffset-CurrentProtocolOffset > 0:
- AsciiString(ANDXOffset-CurrentProtocolOffset) PrimaryDomain;
- }
- };
- }
- }
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SMBComSessionSetupAndXNTLMNoESSRequest
- {
- UINT8 WordCount;
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- UINT16 MaxBufferSize;
- UINT16 MaxMpxCount;
- UINT16 VcNumber;
- UINT32 SessionKey;
- UINT16 CaseInsensitivePwdLen; // ANSI
- UINT16 CaseSensitivePwdLen;// Unicode
- UINT32 Reserved;
- SMBCapability Capabilities;
- UINT16 ByteCount;
- switch
- {
- case CaseInsensitivePwdLen > 0:
- BLOB(CaseInsensitivePwdLen) CaseInsensitivePwd;
- };
- switch
- {
- case CaseSensitivePwdLen > 0 && CaseSensitivePwdLen < 24:
- BLOB(CaseSensitivePwdLen) CaseSensitivePwd;
- case CaseSensitivePwdLen == 24:
- [Property.NTLMSSPLmChallengeLength = 24]
- NLMPLmv2Response NlmpLmv2Response;
- case CaseSensitivePwdLen > 24:
- [DataFieldFrameLength = FrameOffset + CaseSensitivePwdLen]
- NLMPV2Response NlmpV2Response;
- };
- switch
- {
- case CaseInsensitivePwdLen == 0
- && CaseSensitivePwdLen == 0
- && UINT8(FrameData,FrameOffset) == 0:
- BLOB(1) NullPwd;
- };
- [DataFieldFrameLength = (ANDXOffset == 0) ? FrameLength : (ProtocolOffset + ANDXOffset)]
- switch
- {
- case CurrentProtocolOffset < ANDXOffset || ANDXOffset == 0:
- switch(SMBUnicode)
- {
- case 1:
- _struct UnicodeParameters
- {
- ALIGN2 Align;
- [SMBComPramSummary = ", Account = " + (this ? this : "anonymous")]
- UnicodeString AccountName;
- UnicodeString PrimaryDomain;
- UnicodeString NativeOS;
- switch
- {
- case UINT16(FrameData,FrameOffset) == 0:
- UINT16 Null;
- }
- UnicodeString NativeLANMan;
- };
- case 0:
- _struct AsciiParameters
- {
- [SMBComPramSummary = ", Account = " + (this ? this : "anonymous")]
- AsciiString AccountName;
- AsciiString PrimaryDomain;
- AsciiString NativeOS;
- AsciiString NativeLANMan;
- };
- }
- }
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SMBComSessionSetupAndXNTLMESSRequest
- {
- UINT8 WordCount;
- [WordPramEndOffset = frameOffset + WordCount*2, SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- UINT16 MaxBufferSize;
- UINT16 MaxMpxCount;
- UINT16 VcNumber;
- UINT32 SessionKey;
- UINT16 SecurityBlobLength;
- UINT32 Reserved;
- SMBCapability Capabilities;
- switch
- {
- case frameOffset < WordPramEndOffset:
- BLOB(WordPramEndOffset - frameOffset) WordPad;
- }
- [EndByteCountOffset = frameOffset + ByteCount + 2 ]
- UINT16 ByteCount;
- SMBSecurityBlob(SecurityBlobLength) SecurityBlob;
- [DataFieldFrameLength = (ANDXOffset == 0) ? FrameLength : (ProtocolOffset + ANDXOffset)]
- switch
- {
- case FrameOffset < EndByteCountOffset:
- switch(SMBUnicode)
- {
- case 1:
- _struct UnicodeParameters
- {
- ALIGN2 Align;
- switch
- {
- case FrameOffset < EndByteCountOffset:
- UnicodeString NativeOS;
- }
- switch
- {
- case (FrameOffset < EndByteCountOffset) && (UINT16(FrameData,FrameOffset) == 0):
- UINT16 Null;
- }
- switch
- {
- case FrameOffset < EndByteCountOffset:
- UnicodeString NativeLANMan;
- }
- };
- case 0:
- _struct AsciiParameters
- {
- switch
- {
- case FrameOffset < EndByteCountOffset:
- AsciiString NativeOS;
- }
- switch
- {
- case FrameOffset < EndByteCountOffset:
- AsciiString NativeLANMan;
- }
- };
- }
- }
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SmbComSessionSetupAndxServerResponseExtension
- {
- UINT8 WordCount;
- [WordPramEndOffset = frameOffset + WordCount*2, SMBCommand]
- UINT8 AndXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- [DataFieldByteOrder = LittleEndian]
- UINT16 Action = Guest ? " Logged in as Guest" : " Logged in as User"
- {
- UINT16 Guest:1 = FormatString(" (%s) SMB_SETUP_GUEST: Logged on as %s", this.ToBitString, this ? "Guest" : "User");
- UINT16 LMAuth:1 = FormatString("(%s) %suse the LM setup key", this.ToBitString, this ? "" : "Do NOT ");
- UINT16 Resvd:14 = FormatString(" (%s) Reserved", this.ToBitString);
- };
- UINT16 SecurityBlobLength;
- switch
- {
- case frameOffset < WordPramEndOffset:
- BLOB(WordPramEndOffset - frameOffset) WordPad;
- }
- [EndByteCountOffset = frameOffset + ByteCount + 2 ]
- UINT16 ByteCount;
- SMBSecurityBlob(SecurityBlobLength) SecurityBlob;
- // Packet could be fragmented anywhere in here
- [DataFieldFrameLength = (ANDXOffset == 0) ? FrameLength : (ProtocolOffset + ANDXOffset)]
- switch
- {
- case CurrentProtocolOffset < ANDXOffset || ANDXOffset == 0:
- switch(SMBUnicode)
- {
- case 1:
- _struct UnicodeParameters
- {
- ALIGN2 Align;
- UnicodeString NativeOS;
- UnicodeString NativeLANMan;
- };
- case 0:
- _struct AsciiParameters
- {
- AsciiString NativeOS;
- AsciiString NativeLANMan;
- };
- }
- }
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SMBComLogoffAndXRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x02");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- struct SMBComLogoffAndX
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x02");
- [SMBCommand]
- UINT8 ANDXCommand = FormatString("%s %d(0x%X)", SMBCommandTable(this), this, this);
- UINT8 AndXReserved;
- [SMBAndXOffset]
- UINT16 ANDXOffset;
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- switch
- {
- case FrameOffset < frameLength && ANDXOffset > CurrentProtocolOffset:
- BLOB(ANDXOffset - CurrentProtocolOffset) ANDXPadding;
- };
- }
-
- Table SMBNTTransactFunctionTable(func)
- {
- switch(func)
- {
- case 1: "NT_TRANSACT_CREATE";
- case 2: "NT_TRANSACT_IOCTL";
- case 3: "NT_TRANSACT_SET_SECURITY_DESC";
- case 4: "NT_TRANSACT_NOTIFY_CHANGE";
- case 5: "NT_TRANSACT_RENAME";
- case 6: "NT_TRANSACT_QUERY_SECURITY_DESC";
- case 7: "NT_TRANSACT_QUERY_QUOTA";
- case 8: "NT_TRANSACT_SET_QUOTA";
- case 9: "NT_TRANSACT_CREATE2";
- default: "Unknown NT Transaction Function";
- }
- }
-
- Table SMBNTTransactCreationFlagTable(flag)
- {
- switch(flag)
- {
- case 0x02: FormatString("Level I oplock requested, %d(%#X)", flag, flag);
- case 0x04: FormatString("Batch oplock requested, %d(%#X)", flag, flag);
- case 0x08: FormatString("Target for open is a directory, %d(%#X)", flag, flag);
- default: FormatString("%d(%#X)", flag, flag);
- }
- }
-
- [DataTypeByteOrder = LittleEndian]
- struct SMBNTTransSecurityInformation
- {
- UINT32 Owner:1 = FormatString("(%s) OWNER_SECURITY_INFORMATION: %sRequesting Owner of the object or resource", this.ToBitString, this ? "" : "NOT");
- UINT32 Group:1 = FormatString("(%s) GROUP_SECURITY_INFORMATION: %%sRequesting Group associated with the object or resource", this.ToBitString, this ? "" : "NOT");
- UINT32 DACL:1 = FormatString(" (%s) DACL_SECURITY_INFORMATION: %sRequesting Discretionary Access Control List(ACL) associated with the object or resource.", this.ToBitString, this ? "" : "NOT");
- UINT32 SACL:1 = FormatString(" (%s) SACL_SECURITY_INFORMATION: %sRequesting System Access Control List(ACL) associated with the object or resource.", this.ToBitString, this ? "" : "NOT");
- UINT32 Revd:28 = FormatString(" (%s) Reserved", this.ToBitString );
- }
-
- //CIFS-TR-1p00_FINAL, page 34, SMB_COM_NT_TRANSACTION Formats
- struct SMBComNTTransactionRequest
- {
- UINT8 WordCount;
- UINT8 MaxSetupCount;
- UINT16 Reserved;
- UINT32 TotalParameterCount;
- UINT32 TotalDataCount;
- UINT32 MaxParameterCount;
- UINT32 MaxDataCount;
- UINT32 ParameterCount;
- UINT32 ParameterOffset;
- UINT32 DataCount;
- UINT32 DataOffset;
- UINT8 SetupCount;
- [
- SMBSubcommand,
- SMBComSummary = SMBComSummary + ", " + SMBNTTransactFunctionTable(this),
- conversation.SMBSubCommandTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] // save into SMB parent protocol conversation
- ]
- UINT16 Function = SMBNTTransactFunctionTable(this);
- //
- // These are NT Transaction Setup Words
- //
- switch
- {
- case Function == 0x0002 && SetupCount > 0:
- struct IOCTLSetupWords
- {
- [
- IOCTLFunctionCode,
- Conversation.SMBFunctionCodeTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)]
- ]
- UINT32 FunctionCode = FormatString("%s, %u (0x%X)", FSCCCtlCodeTable(this), this, this);
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : ""),
- SMBComSummary = (FunctionCode == 0x00144064 || FunctionCode == 0x00140078 || FunctionCode == 0x001440F2) ?
- (SMBComSummary + FormatString(" (%s Request)",FunctionCode.toString)) : SMBComSummary
- ]
- UINT16 FileID;
- BOOLEAN IsFsctl = this ? "File system control command" : "Device control command";
- [DataFieldByteOrder = LittleEndian]
- UINT8 IsFlag
- {
- UINT8 ShareRoot:1 = FormatString("(%s) %s", this.ToBitString, this ? "Command is to be applied to share root handle" : "Command is NOT to be applied to share root handle");
- UINT8 Reserved:7 = FormatString(" (%s) Reserved", this.ToBitString);
- };
- };
- //
- //CIFS-TR-1p00_FINAL, page 106, 4.3.7.NT_TRANSACT_NOTIFY_CHANGE: Request Change Notification
- //
- case Function == 0x0004 && SetupCount > 0:
- struct NotifyChangeSetupWords
- {
- [DataFieldByteOrder = LittleEndian]
- UINT32 CompletionFilter
- {
- UINT32 FileName: 1 = FormatString(" (%s) %sFile Change Name Notify (FILE_NOTIFY_CHANGE_FILE_NAME)", this.ToBitString, this ? "" : "NOT ");
- UINT32 DirName: 1 = FormatString(" (%s) %sFile Change Dir Name Notify (FILE_NOTIFY_CHANGE_DIR_NAME)", this.ToBitString, this ? "" : "NOT ");
- UINT32 Attributes: 1 = FormatString(" (%s) %sFile Change Attributes Notify (FILE_NOTIFY_CHANGE_ATTRIBUTES)", this.ToBitString, this ? "" : "NOT ");
- UINT32 Size: 1 = FormatString(" (%s) %sFile Change Size Notify (FILE_NOTIFY_CHANGE_SIZE)", this.ToBitString, this ? "" : "NOT ");
- UINT32 LastWrite: 1 = FormatString(" (%s) %sFile Change Last Write Notify (FILE_NOTIFY_CHANGE_LAST_WRITE)", this.ToBitString, this ? "" : "NOT ");
- UINT32 LastAccess: 1 = FormatString(" (%s) %sFile Change Last Access Notify (FILE_NOTIFY_CHANGE_LAST_ACCESS)", this.ToBitString, this ? "" : "NOT ");
- UINT32 Creation: 1 = FormatString(" (%s) %sFile Change Creation Notify (FILE_NOTIFY_CHANGE_CREATION)", this.ToBitString, this ? "" : "NOT ");
- UINT32 Ea: 1 = FormatString(" (%s) %sFile Change EA Notify (FILE_NOTIFY_CHANGE_EA)", this.ToBitString, this ? "" : "NOT ");
- UINT32 Security: 1 = FormatString(" (%s) %sFile Change Security Notify (FILE_NOTIFY_CHANGE_SECURITY)", this.ToBitString, this ? "" : "NOT ");
- UINT32 StreamName: 1 = FormatString(" (%s) %sFile Change Stream Name Notify (FILE_NOTIFY_CHANGE_STREAM_NAME)", this.ToBitString, this ? "" : "NOT ");
- UINT32 StreamSize: 1 = FormatString(" (%s) %sFile Change Stream Size Notify (FILE_NOTIFY_CHANGE_STREAM_SIZE)", this.ToBitString, this ? "" : "NOT ");
- UINT32 StreamWrite: 1 = FormatString("(%s) %sFile Change Stream Write Notify (FILE_NOTIFY_CHANGE_STREAM_WRITE)", this.ToBitString, this ? "" : "NOT ");
- UINT32 Reserved:20 = FormatString(" (%s) Reserved", this.ToBitString);
- };
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- BOOLEAN WatchTree = FormatString("%s - %s", this?"TRUE":"FALSE", this?"Watch all subdirectories too":"No Watch any subdirectory");
- UINT8 Reserved;
- };
- case SetupCount > 0:
- _struct ErrorSetupWords
- {
- ReportParserError(ParserErrorProtocolClassWindows, "SMB", "SMB: Unknown NT Transaction Request SetupWords") NTTransactionSetupWordsError;
- UINT16 SetupWords[SetupCount];
- };
- }
- [SMBBytesEndOffset = frameOffset + 2 + ByteCount]
- UINT16 ByteCount;
- switch
- {
- case frameOffset < frameLength &&
- CurrentProtocolOffset < ParameterOffset:
- BLOB(ParameterOffset-CurrentProtocolOffset) Pad1;
- }
- //
- // This is NT Transaction Parameter Block
- //
- switch
- {
- case Function == 0x0001 && ParameterCount > 0:
- case Function == 0x0009 && ParameterCount > 0:
- struct NTCreateParameterBlock
- {
- [DataFieldByteOrder = LittleEndian]
- UINT32 Flags
- {
- UINT32 Unused:1 = FormatString(" (%s)", this.ToBitString);
- UINT32 DynamicLock:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Level I oplock requested" : "Level I oplock NOT requested");
- UINT32 BatchLock:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Batch oplock requested" : "Batch oplock NOT requested");
- UINT32 Target:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Target for open is a directory" : "Target for open is NOT a directory");
- UINT32 ExtentedResponse:1 = FormatString("(%s) %s", this.ToBitString, this ? "Request extented response" : "Does NOT request extended response");
- UINT32 Reserved:27 = FormatString(" (%s)", this.ToBitString);
- }
- UINT32 RootDirectoryFid;
- SMBAccessMask DesiredAccess;
- SMBLargeInteger AllocationSize;
- SMBNTFileAttributes ExtFileAttributes;
- SMBNTCreateShareAccess ShareAccess;
- UINT32 CreateDisposition = SMBNTCreateDisposition(this);
- SMBNTCreateOptions CreateOptions;
- [NTTransSecurityDescriptorLength]
- UINT32 SecurityDescriptorLength;
- [NTTransEaLength]
- UINT32 EaLength;
- UINT32 NameLength;
- UINT32 ImpersonationLevel = SMBNTImpersonationLevelTable(UINT8( Framedata, Offset ));
- SMBSecurityFlags SecurityFlags;
- switch(SMBUnicode)
- {
- case 0:
- _struct AsciiFileName
- {
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- AsciiString(NameLength) FileName;
- }
- case 1:
- _struct UnicodeFileName
- {
- ALIGN2 Align;
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- UnicodeString(NameLength / 2) FileName;
- }
- }
- };
- case Function == 0x0003 && ParameterCount > 0:
- struct NTSetSecurityDescParameterBlock
- {
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 Reserved;
- SMBNTTransSecurityInformation SecurityInformation;
- };
- case Function == 0x0005 && ParameterCount > 0://NT_TRANSACT_RENAME Client Request Clarification
- struct NTRenameParameterBlock
- {
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 RenameFlags = this ? "replace the target file if the target name exists" : "fail if the target name exists";
- [SMBComPramSummary = ", NewFileName = " + this]
- SMBFileNameString(Property.SMBUnicode, FALSE, 0, ProtocolOffset) NewName;
- }
- case Function == 0x0006 && ParameterCount > 0:
- struct NTQuerySecurityDescParameterBlock
- {
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT16 Reserved;
- SMBNTTransSecurityInformation SecurityInformation;
- };
- case Function == 0x0007 && ParameterCount > 0://NT_TRANSACT_QUERY_QUOTA
- struct NTQueryQuotaInfoParameterBlock
- {
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT8 ReturnSingleEntry;
- UINT8 RestartScan;
- UINT32 SIDListLength;
- UINT32 StartSIDLength;
- UINT32 StartSIDOffset;
- };
- case Function == 0x0008 && ParameterCount > 0://NT_TRANSACT_SET_QUOTA
- struct NTSetQuotaInfoParameterBlock
- {
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- };
- case ParameterCount > 0:
- struct ErrorParameterBlock
- {
- ReportParserError(ParserErrorProtocolClassWindows, "SMB", FormatString("SMB: Unknown NT Transaction Request Parameters, Function = 0x%X", Function)) NTTransactionParameterError;
- BLOB(ParameterCount) Parameters;
- }
- }
- switch
- {
- case frameOffset < frameLength && CurrentProtocolOffset < DataOffset:
- BLOB(DataOffset-CurrentProtocolOffset) Pad2;
- }
- //
- // This is NT Transaction Data Block
- //
- [conversation.SMBSubCommandTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Function]// save into SMB conversation
- switch
- {
- case Function == 0x0001 && DataCount > 0:
- _struct NTCreateDataBlock
- {
- switch
- {
- case NTTransSecurityDescriptorLength > 0:
- SecurityDescriptorRelative SecurityDescriptor;
- };
- switch
- {
- case NTTransEaLength > 0:
- Blob(NTTransEaLength) ExtendedAttributes;
- };
- }
- case Function == 0x0002 && DataCount > 0:
- _struct FSCTLDataStruct
- {
- switch( IOCTLFunctionCode )
- {
- case 0x001440F2:
- _struct FSCTL_SRV_COPYCHUNKRequestData//FSCTL_SRV_COPYCHUNK Request
- {
- BLOB(24) CopychunkResumeKey;
- UINT32 ChunkCount;
- UINT32 Unused;
- ChunkDataList List[ChunkCount];
- }
- case 0x000900AC:
- FSCCFSCTLDeleteReparsePointRequest DeleteReparsePoint;
- case 0x0009008F:
- FSCCFSCTLFindFilesBySidRequest FindFilesBySid;
- case 0x00090073:
- FSCCFSCTLGetRetrievalPointersRequest GetRetrievalPointers;
- case 0x0009002C:
- FSCCFSCTLIsPathnameValidRequest IsPathnameValid;
- case 0x001400EC:
- FSCCFSCTLLMRSetLinkTrackingInformationRequest LMRSetLinkTrackingInformation;
- case 0x0011C017:
- FSCCFSCTLPipetransceiveRequest( DataCount ) Pipetransceive;
- case 0x00110018:
- FSCCFSCTLPipeWaitRequest PipeWait;
- case 0x000940CF:
- FSCCFSCTLQueryAllocatedRangesRequest QueryAllocatedRanges;
- case 0x0009C040:
- FSCCFSCTLSetCompressionRequest SetCompression;
- case 0x00098134:
- FSCCFSCTLSetDefectManagementRequest SetDefectManagement;
- case 0x000900D7:
- FSCCFSCTLSetEncryptionRequest SetEncryption;
- case 0x00090098:
- FSCCFSCTLSetObjectIDRequest SetObjectID;
- case 0x000900BC:
- FSCCFSCTLSetObjectIDExtendedRequest SetObjectIDExtended;
- case 0x000900A4:
- FSCCFSCTLSetReparsePointRequest SetReparsePoint;
- case 0x000901B4:
- FSCCFSCTLSetShortNameBehaviorRequest SetShortNameBehavior;
- case 0x000980C8:
- FSCCFSCTLSetZeroDataRequest SetZeroData;
- case 0x00090100:
- FSCCFSCTLSISCopyFileRequest SISCopyFile;
- case 0x000900c4:
- FSCCFSCTLSetSparseRequest SetSparse;
-
- case 0x00098208:
- FSCCFSCTLFileLevelTrimRequest FileLevelTrim
-
- case 0x0009C280:
- FSCCFSCTLSetIntegrityInformationRequest SetIntegrityInformation;
-
- case 0x00094264:
- FSCCFSCTLOffloadReadRequest OffloadRead;
-
- case 0x00098268:
- FSCCFSCTLOffloadWriteRequest OffloadWrite;
- default:
- BLOB(DataCount > FrameLength - FrameOffset ? FrameLength - FrameOffset : DataCount) FsctlData;
- };
- }
- case Function == 0x0003 && DataCount > 0:
- SecurityDescriptorRelative SecurityDescriptor;
- case Function == 0x0008 && DataCount > 0:
- [NextEntry = 1]
- while options[NextEntry != 0]
- {
- struct NTTransactSetQuotaDataBuffer //NT_TRANSACT_QUERY_QUOTA
- {
- [NextEntry]
- UINT32 NextEntryOffset;
- UINT32 SidLength;
- FILETIME ChangeTime;
- SMBLargeInteger QuotaUsed;
- SMBLargeInteger QuotaThreshold;
- SMBLargeInteger QuotaLimit;
- switch
- {
- case SIDLength > 0:
- SID(false) Sid;
- }
- switch
- {
- case frameOffset < Property.NextEntry:
- BLOB(Property.NextEntry - offset) Padding;
- }
- }
- }
- case DataCount > 0:
- _struct UnknownDataBlock
- {
- ReportParserError(ParserErrorProtocolClassWindows, "SMB", FormatString("SMB: Unknown NT Transaction Request Data, Function = 0x%X", Function)) NTTransactionDataEError;
- BLOB(DataCount > FrameLength - FrameOffset ? FrameLength - FrameOffset : DataCount) Data;
- };
- }
- switch
- {
- case frameOffset < frameLength && frameOffset < SMBBytesEndOffset:
- BLOB(SMBBytesEndOffset - frameOffset > frameLength - frameOffset ? frameLength - frameOffset : SMBBytesEndOffset - frameOffset) Pad;
- }
- }
-
- //FSCTL_SRV_COPYCHUNK Request List
- struct ChunkDataList
- {
- SMBLargeInteger SourceOffset;
- SMBLargeInteger DestinationOffset;
- UINT32 CopyLength;
- UINT32 Reserved;
- }
-
- struct SMBComNTTransactionSecondaryRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x12");
- UINT8 Reserved1;
- UINT16 Reserved2;
- UINT32 TotalParameterCount;
- UINT32 TotalDataCount;
- UINT32 ParameterCount;
- UINT32 ParameterOffset;
- UINT32 ParamDisplacement;
- UINT32 DataCount;
- UINT32 DataOffset;
- UINT32 DataDisplacement;
- UINT8 Reserved = MUSTBeSetToTable( this, "0x00");
- [SMBBytesEndOffset = frameOffset + 2 + ByteCount]
- UINT16 ByteCount;
- switch
- {
- case CurrentProtocolOffset < ParameterOffset:
- BLOB(ParameterOffset - CurrentProtocolOffset) Pad1;
- }
- switch
- {
- case ParameterCount > 0:
- BLOB(ParameterCount) Parameters;
- }
- switch
- {
- case CurrentProtocolOffset < DataOffset:
- BLOB(DataOffset - CurrentProtocolOffset) Pad2;
- }
- switch
- {
- case DataCount > 0:
- BLOB(DataCount) Data;
- }
- switch
- {
- case frameOffset < frameLength && frameOffset < SMBBytesEndOffset:
- BLOB(SMBBytesEndOffset - frameOffset > frameLength - frameOffset ? frameLength - frameOffset : SMBBytesEndOffset - frameOffset) Pad;
- }
- }
-
- Table SMBNTTransCreateOplockLevelTable( level )
- {
- switch( level )
- {
- case 0: "No oplock granted";
- case 1: "Exclusive oplock granted";
- case 2: "Batch oplock granted";
- case 3: "Level II oplock granted";
- default: FormatString("Undefined level(%d)", level);
- }
- }
-
- [Property.SMBInterimResponse = true]
- struct SMBComInterimResponseNTTransaction
- {
- [
- conversation.SMBSubCommandPerFrame$[FrameNumber] = conversation.SMBSubCommandTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBSubCommand = conversation.SMBSubCommandPerFrame$[FrameNumber],
- SMBComSummary = SMBComSummary + ", " + SMBNTTransactFunctionTable(SMBSubCommand),
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber]
- ]
- UINT8 WordCount;
- switch
- {
- case SMBFileID:
- [
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- _struct BuildConversationForInterimResponse
- {
- UINT16 ByteCount;
- };
- default:
- UINT16 ByteCount;
- }
- }
-
- Table FileNotifyActionTable(action)
- {
- switch(action)
- {
- case 0x00000001: "FILE_ACTION_ADDED";
- case 0x00000002: "FILE_ACTION_REMOVED";
- case 0x00000003: "FILE_ACTION_MODIFIED";
- case 0x00000004: "FILE_ACTION_RENAMED_OLD_NAME";
- case 0x00000005: "FILE_ACTION_RENAMED_NEW_NAME";
- case 0x00000006: "FILE_ACTION_ADDED_STREAM";
- case 0x00000007: "FILE_ACTION_REMOVED_STREAM";
- case 0x00000008: "FILE_ACTION_MODIFIED_STREAM";
- default: "Unhandled Action";
- }
- }
-
- struct SMBComNTTransactionResp
- {
- [
- conversation.SMBSubCommandPerFrame$[FrameNumber] = conversation.SMBSubCommandTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],//get from SMB parent protocol conversation
- SMBSubCommand = conversation.SMBSubCommandPerFrame$[FrameNumber],
- SMBComSummary = SMBComSummary + ", " + SMBNTTransactFunctionTable(SMBSubCommand),
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber]
- ]
- // here 1 should be treated specially
- // {2, 3, 4, 6, 7, 8} should have conversation def
- UINT8 WordCount;
- switch
- {
- case SMBFileID && (SMBSubCommand != 1):
- [
- conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : ""),
- conversation.SMBSubCommandPerFrame$[FrameNumber] = conversation.SMBSubCommandTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBSubCommand = conversation.SMBSubCommandPerFrame$[FrameNumber]
- ]
- _struct BuildConversationForNTTransactResponse{};
- }
- UINT24 Reserved;
- [Property.TotalParameterCount]
- UINT32 TotalParameterCount;
- UINT32 TotalDataCount;
- UINT32 ParameterCount;
- [ParameterEndOffset = ProtocolOffset + this + ParameterCount]
- UINT32 ParameterOffset;
- UINT32 ParamDisplacement;
- UINT32 DataCount;
- UINT32 DataOffset;
- UINT32 DataDisplacement;
- UINT8 SetupCount;
- //
- // Setup Words
- //
- [
- conversation.SMBNTFunctionCodePerFrame$[FrameNumber] = Conversation.SMBFunctionCodeTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBNTFunctionCode = conversation.SMBNTFunctionCodePerFrame$[FrameNumber]
- ]/* Get from SMB Conversation*/
- switch
- {
- case !(ConvID > 0):
- _struct ReportWarning
- {
- ReportParserWarning( "SMB", "May not parse correctly when conversation off") ParserWarning;
- UINT16 SetupWords[SetupCount];
- };
- case SMBSubCommand == 2 && SetupCount == 4:
- struct IOCTLSetupWords
- {
- UINT16 Function = SMBNTTransactFunctionTable(this);
- UINT32 FunctionCode;
- UINT16 FileID;
- }
- case SMBSubCommand == 2:
- _struct UnknownIOCTLSetupWords
- {
- UINT16 SetupWords[SetupCount];
- }
- case SetupCount > 0:
- _struct ErrorSetupWords
- {
- switch
- {
- case IsValueNone(SMBSubCommand):
- ReportParserWarning("SMB", "May not parse correctly when NTTransaction Request is missing") NTTransactionSetupWordsWarning;
- default:
- ReportParserError(ParserErrorProtocolClassWindows, "SMB", "SMB: Unknown NTTransaction Response SetupWords") NTTransactionSetupWordsError;
- }
- UINT16 SetupWords[SetupCount];
- }
- }
- [SMBBytesEndOffset = frameOffset + 2 + ByteCount]
- UINT16 ByteCount;
- switch
- {
- case CurrentProtocolOffset < ParameterOffset:
- BLOB(ParameterOffset - CurrentProtocolOffset) Pad1;
- }
- //
- // This is NTTransaction Parameter Block
- //
- switch
- {
- case ParameterCount > 0 && ParamDisplacement == 0:
- switch
- {
- case !(ConvID > 0):
- _struct ReportWarning
- {
- ReportParserWarning( "SMB", "May not parse correctly when conversation off") ParserWarning;
- BLOB(ParameterCount) Parameters;
- };
- case SMBSubCommand == 1:
- case SMBSubCommand == 9:
- struct CreateParameterBlock
- {
- UINT8 OplockLevel = SMBNTTransCreateOplockLevelTable(this);
- UINT8 ResponseType = this ? "Response is extended" : "Response is NOT extended";
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- conversation.SMBFileNamePerFrame$[FrameNumber] = conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Property.SMBFileName = conversation.SMBFileNamePerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCount$[SMBFileID] = conversation.SMBFileIDCount$[SMBFileID] + 1,
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- UINT32 CreateAction = SMBCreateActionTable(this);
- UINT32 EaErrorOffset;
- FILETIME CreationTime;
- FILETIME LastAccessTime;
- FILETIME LastWriteTime;
- FILETIME ChangeTime;
- SMBNTFileAttributes FileAttributes;
- SMBLargeInteger AllocationSize;
- SMBLargeInteger EndOfFile;
- UINT16 FileType = SMBFileTypeTable(this);
- switch(FileType)
- {
- case 1:
- case 2:
- SMBDeviceState DeviceState;
- default:
- UINT16 FileStatus
- {
- UINT16 NoEAs:1 = FormatString(" (%s) File or Directory has %sextended attributes (NO_EAS)", this.ToBitString, this ? "NO ":"");
- UINT16 NoSubstreams:1 = FormatString("(%s) File or Directory has %ssubstreams (NO_SUBSTREAMS)", this.ToBitString, this ? "NO ":"");
- UINT16 NoReparseTag:1 = FormatString("(%s) File or Directory is %sa reparse point (NO_REPARSETAG)", this.ToBitString, this ? "NOT ":"");
- UINT16 Reserved:13 = FormatString(" (%s) Reserved", this.ToBitString);
- };
- }
- BOOLEAN IsDirectory = this ? "Is a directory." : "NOT a directory.";
- switch
- {
- case ResponseType != 0:
- _struct NTRransCreaterExtendedResponse
- {
- GUID(FALSE) VolumeGuid;
- UINT64 FileID;
- UINT32 MaximalAccessRights;
- UINT32 GuestMaximalAccessRights;
- }
- }
- };
- case SMBSubCommand == 4:
- struct NotifyParameterBlock
- {
- [SMBNTTransactNextEntryOffset = 1]
- while FindEntries[offset < Property.ParameterEndOffset && Property.SMBNTTransactNextEntryOffset]
- {
- struct FindEntry
- {
- [
- StructBaseOffset = FrameOffset,
- SMBNTTransactNextEntryOffset
- ]
- UINT32 NextEntryOffset;
- UINT32 NotifyAction = FileNotifyActionTable(this);
- UINT32 FileNameLength;
- [Post.SMBComPramSummary = SMBComPramSummary + ", File = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, TRUE, FileNameLength, StructBaseOffset) FileName;
- switch
- {
- case frameOffset < Property.SMBNTTransactNextEntryOffset:
- BLOB(Property.SMBNTTransactNextEntryOffset - offset) Padding;
- }
- };
- };
- };
- Case SMBSubCommand == 5:
- BLOB(Property.TotalParameterCount) ParameterBlock;
- case SMBSubCommand == 6:
- struct QuerySecDescParameterBlock
- {
- UINT32 SecurityDescriptorLength; //#? The server response doesn't have a Parameter block.
- };
- case SMBSubCommand == 7:
- struct GetUserQuotaParameterBlock
- {
- UINT32 ReturnedQuotaDataSize;
- };
- default:
- switch
- {
- case SMBSubCommand >= 0x00:
- _struct ErrorParameterBlock
- {
- ReportParserError(ParserErrorProtocolClassWindows, "SMB", FormatString("Unknown SMB NT Transaction Parameter Block, SubCommand = 0x%X", SMBSubCommand)) SMBNTTransFunctionError;
- BLOB(ParameterCount) Parameters;
- };
- default:
- _struct WarningParameterBlock
- {
- ReportParserWarning("SMB", "May not parse correctly when NT Transaction request is missing") SMBParameterBlockWarning;
- BLOB(ParameterCount) Parameters;
- };
- }
- }
- }
-
- switch
- {
- case CurrentProtocolOffset < DataOffset:
- BLOB(DataOffset - CurrentProtocolOffset) Pad2;
- }
-
- //
- // This is NTTransaction Data Block
- //
- [
- PayloadStart(
- NetworkDirection, /* direction */
- 0, /* id */
- DataDisplacement, /* sequence token */
- DataDisplacement + DataCount, /* next sequence token */
- 0, /* total payload length */
- ParamDisplacement == 0 && DataDisplacement == 0, /* is first */
- (TotalParameterCount == ParamDisplacement + ParameterCount) && (TotalDataCount == DataDisplacement + DataCount), /* is last */
- RssmblyIndStartBit+RssmblyIndEndBit+RssmblySequenceBit+RssmblySelfBit, //has start and end indication
- 0x0000, /* Properties... */
- SMBResponse,
- 0x0000, /* Properties... */
- ""
- )
- ]
- switch
- {
- case DataDisplacement == 0 && DataCount > 0:
- switch
- {
- case !(ConvID > 0):
- _struct ReportWarning
- {
- ReportParserWarning( "SMB", "May not parse correctly when conversation off") ParserWarning;
- BLOB(DataCount > FrameLength - FrameOffset ? FrameLength - FrameOffset : DataCount) Data;
- };
- case SMBSubCommand == 2:
- _Struct FSCTLDataStruct
- {
- switch( SMBNTFunctionCode )
- {
- case 0x00144064://FSCTL_SRV_ENUMERATE_SNAPSHOTS
- SMBFsctlSrvenumErateSnapShots FsctlSrvenumErateSnapShotsResponseData;
- case 0x00140078://FSCTL_SRV_REQUEST_RESUME_KEY
- _struct FSCTL_SRV_REQUEST_RESUME_KEYResponseData
- {
- BLOB(24) CopychunkResumeKey;
- UINT32 ContextLength;
- switch
- {
- case DataCount > 28: BLOB(DataCount - 28) Context;
- }
- }
- case 0x001440F2://FSCTL_SRV_COPYCHUNK
- _struct FSCTL_SRV_COPYCHUNKResponseData
- {
- UINT32 ChunksWritten;
- UINT32 ChunkBytesWritten;
- UINT32 TotalBytesWritten;
- }
- case 0x000900c0:
- FSCCFSCTLCreateOrGetObjectIDResponse CreateOrGetObjectID;
- case 0x00090060:
- FSCCFSCTLFilesystemGetStatisticsResponse FilesystemGetStatistics;
- case 0x0009008f:
- FSCCFSCTLFindFilesBySidResponse FindFilesBySid;
- case 0x0009003c:
- FSCCFSCTLGetCompressionResponse GetCompression;
- case 0x00090064:
- FSCCFSCTLGetNtfsVolumeDataResponse GetNtfsVolumeData;
- case 0x0009009c:
- FSCCFSCTLGetObjectIDResponse GetObjectID;
- case 0x000900a8:
- FSCCFSCTLGetReparsePointResponse GetReparsePoint;
- case 0x00090073:
- FSCCFSCTLGetRetrievalPointersResponse GetRetrievalPointers;
- case 0x00090078:
- FSCCFSCTLIsVolumeDirtyResponse IsVolumeDirty;
- case 0x001400e8:
- FSCCFSCTLLMRGetLinkTrackingInformationResponse LMRGetLinkTrackingInformation;
- case 0x0011400c:
- FSCCFSCTLPipePeekResponse PipePeek;
- case 0x0011c017:
- FSCCFSCTLPipetransceiveResponse( DataCount ) Pipetransceive;
- case 0x00090058:
- FSCCFSCTLQueryFatBPBResponse QueryFatBPB;
- case 0x000940cf:
- FSCCFSCTLQueryAllocatedRangesResponse( DataCount ) QueryAllocatedRanges;
- case 0x00090138:
- FSCCFSCTLQuerySparingInfoResponse QuerySparingInfo;
- case 0x000900eb:
- FSCCFSCTLReadFileUSNDataResponse ReadFileUSNData;
- case 0x000900ef:
- FSCCFSCTLWriteUSNCloseRecordResponse WriteUSNCloseRecord;
- case 0x0009027c:
- FSCCFSCTLGetIntegrityInformationResponse GetIntegrityInformation;
- case 0x00098208:
- FSCCFSCTLFileLevelTrimResponse FileLevelTrim;
- case 0x0009013c:
- FSCCFSCTLQueryOnDiskVolumeInfoResponse QueryOnDiskVolumeInfo;
- case 0x000900D7:
- FSCCFSCTLDecryptionStatusBuffer DecryptionStatusBuffer;
- case 0x00094264:
- FSCCFSCTLOffloadReadResponse OffloadRead;
- case 0x00098268:
- FSCCFSCTLOffloadWriteResponse OffloadWrite;
- default:
- BLOB(DataCount) IoctlData;
- }
- }
- case SMBSubCommand == 6:
- SecurityDescriptorRelative SecurityDescriptor;
- case SMBSubCommand == 7:
- struct UserQuotaData
- {
- [Local.NextEntryOffset = 1]
- while QuotaDatas[offset < FrameLength && Local.NextEntryOffset]
- {
- [Local.NextEntryOffset]
- UINT32 NextEntryOffset;
- UINT32 SIDLength;
- FILETIME ChangeTime;
- SMBLargeInteger QuotaUsed;
- SMBLargeInteger QuotaThreshold;
- SMBLargeInteger QuotaLimit;
- switch
- {
- case SIDLength > 0:
- SID(FALSE) UserSID;
- }
- };
- };
- default:
- switch
- {
- case SMBSubCommand >= 0x00:
- _struct ErrorParameterBlock
- {
- ReportParserError(ParserErrorProtocolClassWindows, "SMB", FormatString("Unknown SMB NT Transaction Data Block, SubCommand = 0x%X", SMBSubCommand)) SMBNTTransFunctionError;
- BLOB(DataCount) Data;
- };
- default:
- _struct WarningParameterBlock
- {
- ReportParserWarning("SMB", "May not parse correctly when NT Transaction request is missing") SMBParameterBlockWarning;
- BLOB(DataCount) Data;
- };
- }
- }
- case DataDisplacement > 0 && DataCount > 0:
- //
- // This is a Fragmented NTTtransact Frame
- //
- [SMBContinuation = TRUE, SMBComPramSummary = SMBComPramSummary + " - Continued Response"]
- BLOB(DataCount > FrameLength - FrameOffset ? FrameLength - FrameOffset : DataCount) Data;
- }
- switch
- {
- case frameOffset < frameLength && frameOffset < SMBBytesEndOffset:
- BLOB(SMBBytesEndOffset - frameOffset > frameLength - frameOffset ? frameLength - frameOffset : SMBBytesEndOffset - frameOffset) Pad;
- }
- }
-
- //FSCTL_SRV_ENUMERATE_SNAPSHOTS
- struct SMBFsctlSrvenumErateSnapShots
- {
- UINT32 NumberOfSnapShots = FormatString( "%u", this );
- UINT32 NumberOfSnapShotsReturned = FormatString( "%u", this );
- UINT32 SnapShotArraySize = FormatString( "%u", this );
- Switch
- {
- Case NumberOfSnapShotsReturned > 0:
- Struct SnapShotMultiSZ = FormatString( "%u Snapshots", NumberOfSnapShotsReturned )
- {
- While Snapshots[!(UINT16(FrameData, Offset) == 0x0000)]
- {
- [DataFieldByteOrder = LittleEndian]
- UnicodeString Snapshot;
- }
- Struct SnapshotListTerminator = NullTerminator.ToString
- {
- UINT16 NullTerminator = "NULL";
- }
- }
- }
- }
-
- //0xA4: There is no server SMB_COM_NT_CANCEL response.
- struct SMBComNTCancelRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- UINT8 Reserved;
- }
-
- struct SMBComNTRenameRequest
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x04");
- SMBFileAttributes SearchAttributes;
- UINT16 InformationLevel = FormatString("%s %d(0x%04X)", SMBNTRenameInformationLevel(this), this, this);
- UINT32 ClusterCount;
- UINT16 ByteCount;
- UINT8 OldFileNameFormat = SMBBufferStringFormatsTable(this);
- [Post.SMBComPramSummary = ", " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) OldFileName;
- UINT8 NewFileNameFormat;
- [Post.SMBComPramSummary = SMBComPramSummary + " To " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) NewFileName;
- }
-
- struct SMBComNTRenameResp
- {
- UINT8 WordCount = MUSTBeSetToTable( this, "0x00");
- UINT16 ByteCount = MUSTBeSetToTable( this, "0x0000");
- }
-
- Table SMBTrans2SubCommandTable(command)
- {
- //0x00 TRANS2_OPEN2
- //0x01 TRANS2_FIND_FIRST2
- //0x02 TRANS2_FIND_NEXT2
- //0x03 TRANS2_QUERY_FS_INFORMATION
- //0x04 TRANS_SET_FS_INFORMATION
- //0x05 TRANS2_QUERY_PATH_INFORMATION
- //0x06 TRANS2_SET_PATH_INFORMATION
- //0x07 TRANS2_QUERY_FILE_INFORMATION
- //0x08 TRANS2_SET_FILE_INFORMATION
- //0x09 TRANS2_FSCTL
- //0x0A TRANS2_IOCTL2
- //0x0B TRANS2_FIND_NOTIFY_FIRST
- //0x0C TRANS2_FIND_NOTIFY_NEXT
- //0x0D TRANS2_CREATE_DIRECTORY
- //0x0E TRANS2_SESSION_SETUP
- //0x0F TRANS2_QUERY_FS_INFORMATION_FID
- //0x10 TRANS2_GET_DFS_REFERRAL
- //0x11 TRANS2_REPORT_DFS_INCONSISTENCY
- //0x09 ~ 0x0C: NOT used by Windows NT Server and later.
- switch(command)
- {
- case 0x00: "Open2";
- case 0x01: "Find First2";
- case 0x02: "Find Next2";
- case 0x03: "Query FS Info";
- case 0x04: "Set Fs Info";
- case 0x05: "Query Path Info";
- case 0x06: "Set Path Info";
- case 0x07: "Query File Info";
- case 0x08: "Set File Info";
- case 0x09: "FSctl";
- case 0x0A: "IOctl2";
- case 0x0B: "Find Notify First";
- case 0x0C: "Find Notify Next";
- case 0x0D: "Create Directory";
- case 0x0E: "Session Setup";
- case 0x0F: "Query FS Info Fid";
- case 0x10: "Get Dfs Referral";
- case 0x11: "Report Dfs Inconsistency";
- default: "Unhandled Transact2 Subcommand";
- }
- }
-
- // used for 0x03 TRANS2_QUERY_FS_INFORMATION (all)
- // and 0x0F TRANS2_QUERY_FS_INFORMATION_FID (the first 7)
- Table SMBTrans2QueryFSInfoLevelTable(level)
- {
- //0x0001 SMB_INFO_ALLOCATION
- //0x0002 SMB_INFO_VOLUME
- //0x0101 SMB_QUERY_FS_LABEL_INFO
- //0x0102 SMB_QUERY_FS_VOLUME_INFO
- //0x0103 SMB_QUERY_FS_SIZE_INFO
- //0x0104 SMB_QUERY_FS_DEVICE_INFO
- //0x0105 SMB_QUERY_FS_ATTRIBUTE_INFO
- //0x0200 SMB_UNIX_QUERY_FS_INFO
- //0x0301: SMB_Mac_Query_FS_Info
- //0x03E9: FileFsVolumeInformation
- //0x03EA: FileFsLabelInformation
- //0x03EB: FileFsSizeInformation
- //0x03EC: FileFsDeviceInformation
- //0x03ED: FileFsAttributeInformation
- //0x03EE: FileFsControlInformation
- //0x03EF: FileFsFullSizeInformation
- //0x03F0: FileFsObjectIdInformation
- //0x03F1: FileFsDriverPathInformation
- //0x03F2: FileFsVolumeFlagsInformation
-
- switch(level)
- {
- case 0x0001: "Query Info Allocation";
- case 0x0002: "Query Info Volume";
- case 0x0101: "Query FS Label Info (NT)";
- case 0x0102: "Query FS Volume Info (NT)";
- case 0x0103: "Query FS Size Info (NT)";
- case 0x0104: "Query FS Device Info (NT)";
- case 0x0105: "Query FS Attribute Info (NT)";
- case 0x0200: "Unix Query FS Info";
- case 0x0301: "Mac Query FS Info";
- case 0x03E9: "Query FS Volume Info";
- case 0x03EA: "Query FS Label Info";
- case 0x03EB: "Query FS Size Info";
- case 0x03EC: "Query FS Device Info";
- case 0x03ED: "Query FS Attribute Info";
- case 0x03EE: "Query FS Control Info";
- case 0x03EF: "Query Full FS Size Info";
- case 0x03F0: "Object ID Info";
- case 0x03F1: "Query FS Drive Path Info";
- case 0x03F2: "Query FS Volume Flags Info";
- default: FormatString("(0x%04X) UnknownValue",level );
- }
- }
-
- Table SMBTrans2FindInfoLevelTable(level)
- {
- switch(level)
- {
- case 0x0001: "Standard"; //SMB_INFO_STANDARD
- case 0x0002: "Query EA Size"; //SMB_INFO_QUERY_EA_SIZE
- case 0x0003: "Query EA's From List"; //SMB_INFO_QUERY_EAS_FROM_LIST
- case 0x0004: "Query All EA's"; //SMB_INFO_QUERY_ALL_EAS
- case 0x0101: "Directory Info (NT)"; //SMB_FIND_FILE_DIRECTORY_INFO
- case 0x0102: "Full Directory Info (NT)"; //SMB_FIND_FILE_FULL_DIRECTORY_INFO
- case 0x0103: "Names Info (NT)"; //SMB_FIND_FILE_NAMES_INFO
- case 0x0104: "Both Directory Info (NT)"; //SMB_FIND_FILE_BOTH_DIRECTORY_INFO
- // case 0x0105: "OLE Directory Info"; //SMB_FIND_FILE_OLE_DIRECTORY_INFO
- case 0x0105: "ID Full Directory Info"; //SMB_FIND_FILE_ID_FULL_DIRECTORY_INFO
- case 0x0106: "ID Both Directory Info"; // SMB_FIND_FILE_ID_BOTH_DIRECTORY_INFO
- default: FormatString("%d(0x%04X)", level, level);
- }
- }
-
- Table SMBTrans2QueryFileInfoLevelTable(level)
- {
- // 0x0001 SMB_INFO_STANDARD
- // 0x0002 SMB_INFO_QUERY_EA_SIZE
- // 0x0003 SMB_INFO_QUERY_EAS_FROM_LIST
- // 0x0004 SMB_INFO_QUERY_ALL_EAS
- // 0x0005 SMB_INFO_QUERY_FULL_NAME
- // 0x0006 SMB_INFO_IS_NAME_VALID
- // 0x0101 SMB_QUERY_FILE_BASIC_INFO
- // 0x0102 SMB_QUERY_FILE_STANDARD_INFO
- // 0x0103 SMB_QUERY_FILE_EA_INFO
- // 0x0104 SMB_QUERY_FILE_NAME_INFO
- // 0x0105 SMB_QUERY_FILE_ALLOCATION_INFO
- // 0x0106 SMB_QUERY_FILE_END_OF_FILEINFO
- // 0x0107 SMB_QUERY_FILE_ALL_INFO
- // 0x0108 SMB_QUERY_FILE_ALT_NAME_INFO
- // 0x0109 SMB_QUERY_FILE_STREAM_INFO
- // 0x010A SMB_QUERY_FILE_OLE_ALL_INFO
- // 0x010B SMB_QUERY_FILE_COMPRESSION_INFO
- // 0x010C SMB_QUERY_FILE_OLE_INFO
- // 0x0200 SMB_QUERY_FILE_UNIX_BASIC
- // 0x0201 SMB_QUERY_FILE_UNIX_LINK
- // 0x03E8 SMB_INFO_PASSTHROUGH
- //
- // Notes: If the InformationLevel field is greater than SMB_INFO_PASSTHROUGH (1000 decimal),
- // the remainder of the InformationLevel field minus 1000 specifies the file information being requested.
- // Dec Dec+ Hex Info level
- // 1 1001 0x03E9 FileDirectoryInformation
- // 2 1002 0x03EA FileFullDirectoryInformation
- // 3 1003 0x03EB FileBothDirectoryInformation
- // 4 1004 0x03EC FileBasicInformation
- // 5 1005 0x03ED FileStandardInformation
- // 6 1006 0x03EE FileInternalInformation
- // 7 1007 0x03EF FileEaInformation
- // 8 1008 0x03F0 FileAccessInformation
- // 9 1009 0x03F1 FileNameInformation
- // 10 1010 0x03F2 FileRenameInformation
- // 11 1011 0x03F3 FileLinkInformation
- // 12 1012 0x03F4 FileNamesInformation
- // 13 1013 0x03F5 FileDispositionInformation
- // 14 1014 0x03F6 FilePositionInformation
- // 15 1015 0x03F7 FileFullEaInformation
- // 16 1016 0x03F8 FileModeInformation
- // 17 1017 0x03F9 FileAlignmentInformation
- // 18 1018 0x03FA FileAllInformation
- // 19 1019 0x03FB FileAllocationInformation
- // 20 1020 0x03FC FileEndOfFileInformation
- // 21 1021 0x03FD FileAlternateNameInformation
- // 22 1022 0x03FE FileStreamInformation
- // 23 1023 0x03FF FilePipeInformation
- // 24 1024 0x0400 FilePipeLocalInformation
- // 25 1025 0x0401 FilePipeRemoteInformation
- // 26 1026 0x0402 FileMailslotQueryInformation
- // 27 1027 0x0403 FileMailslotSetInformation
- // 28 1028 0x0404 FileCompressionInformation
- // 29 1029 0x0405 FileObjectIdInformation
- // 30 1030 0x0406 FileCompletionInformation
- // 31 1031 0x0407 FileMoveClusterInformation
- // 32 1032 0x0408 FileQuotaInformation
- // 33 1033 0x0409 FileReparsePointInformation
- // 34 1034 0x040A FileNetworkOpenInformation
- // 35 1035 0x040B FileAttributeTagInformation
- // 36 1036 0x040C FileTrackingInformation
- // 37 1037 0x040D FileIdBothDirectoryInformation
- // 38 1038 0x040E FileIdFullDirectoryInformation
- // 39 1039 0x040F FileValidDataLengthInformation
- // 40 1040 0x0410 FileShortNameInformation
- switch(level)
- {
- case 0x0001: "Query Standard Info";
- case 0x0002: "Query EA Size";
- case 0x0003: "Query EAs From List";
- case 0x0004: "Query All EAs";
- case 0x0005: "Query Full Name";
- case 0x0006: "Info Is Name Valid";
- case 0x0101: "Query File Basic Info";
- case 0x0102: "Query File Standard Info";
- case 0x0103: "Query File EA Info";
- case 0x0104: "Query File Name Info";
- case 0x0105: "Query File Allocation Info";
- case 0x0106: "Query File End of File Info";
- case 0x0107: "Query File All Info";
- case 0x0108: "Query File Alternate Name Info";
- case 0x0109: "Query File Stream Info";
- case 0x010A: "Query File OLE All Info";
- case 0x010B: "Query File Compression Info";
- case 0x010C: "Query File OLE Info";
- case 0x0200: "Query File Unix Basic";
- case 0x0201: "Query File Unix Link";
-
- // Larger than 1000 (0x03E8 SMB_INFO_PASSTHROUGH)
- case 0x03E9: "Query File Dir Info";
- case 0x03EA: "Query File Full Dir Info";
- case 0x03EB: "Query File Both Dir Info";
- case 0x03EC: "Query File Basic Info";
- case 0x03ED: "Query File Standard Info";
- case 0x03EE: "Query File Internal Info";
- case 0x03EF: "Query File EA Info";
- case 0x03F0: "Query File Access Info";
- case 0x03F1: "Query File Name Info";
- case 0x03F2: "Query File Rename Info";
- case 0x03F3: "Query File Link Info";
- case 0x03F4: "Query File Names Info";
- case 0x03F5: "Query File Disposition Info";
- case 0x03F6: "Query File Position Info";
- case 0x03F7: "Query File Full EA Info";
- case 0x03F8: "Query File Mode Info";
- case 0x03F9: "Query File Alignment Info";
- case 0x03FA: "Query File All Info";
- case 0x03FB: "Query File Allocation Info";
- case 0x03FC: "Query File End of File Info";
- case 0x03FD: "Query File Alternate Name Info";
- case 0x03FE: "Query File Stream Info";
- case 0x03FF: "Query File Pipe Info";
- case 0x0400: "Query File Pipe Local Info";
- case 0x0401: "Query File Pipe Remote Info";
- case 0x0402: "Query File Mailslot Query Info";
- case 0x0403: "Query File Mailslot Set Info";
- case 0x0404: "Query File Compression Info";
- case 0x0405: "Query File ObjectID Info";
- case 0x0406: "Query File Completion Info";
- case 0x0407: "Query File Move Cluster Info";
- case 0x0408: "Query File Quota Info";
- case 0x0409: "Query File Reparse Point Info";
- case 0x040A: "Query File Network Open Info";
- case 0x040B: "Query File Attribute Tag Info";
- case 0x040C: "Query File Tracking Info";
- case 0x040D: "Query ID Both Dir Info";
- case 0x040E: "Query ID Full Dir Info";
- case 0x040F: "Query Valid DataLength Info";
- case 0x0410: "Query ShortName Info";
- case 0x0411: "Query File Maximum Info";
- default: FormatString("0x%04X", level);
- }
- }
-
- Table SMBTrans2SetFileInfoLevelTable(level)
- {
- //0x0001 SMB_INFO_STANDARD
- //0x0002 SMB_INFO_SET_EAS
- //0x0101 SMB_SET_FILE_BASIC_INFO
- //0x0102 SMB_SET_FILE_DISPOSITION_INFO
- //0x0103 SMB_SET_FILE_ALLOCATION_INFO
- //0x0104 SMB_SET_FILE_END_OF_FILE_INFO
- //0x0105 SMB_SET_FILE_OLE_CLASSID_INFO
- //0x0106 SMB_SET_FILE_OLE_STATE_BITS_INFO
- //0x0107 SMB_SET_FILE_OBJECTID_INFO
- //0x0108 SMB_SET_FILE_CONTENT_INDEX_INFO
- //0x0109 SMB_SET_FILE_INHERIT_CONTENT_INDEX_INFO
- //0x010A SMB_SET_FILE_OLE_INFO
- //0x0200 SMB_SET_FILE_UNIX_BASIC
- //0x0201 SMB_SET_FILE_UNIX_LINK
- //0x0203 SMB_SET_FILE_UNIX_HLINK
- // 4 1004 0x03EC FileBasicInformation
- //10 1010 0x03F2 FileRenameInformation
- //13 1013 0x03F5 FileDispositionInformation
- //14 1014 0x03F6 FilePositionInformation
- //16 1016 0x03F8 FileModeInformation
- //19 1019 0x03FB FileAllocationInformation
- //20 1020 0x03FC FileEndOfFileInformation
- //23 1023 0x03FF FilePipeInformation
- //25 1025 0x0401 FilePipeRemoteInformation
- //29 1029 0x0405 FileObjectIdInformation
- //32 1032 0x0408 FileQuotaInformation
- //39 1039 0x040F FileValidDataLengthInformation
- //40 1040 0x0410 FileNameInformation
- switch(level)
- {
- case 0x0001: "Set Standard Info";
- case 0x0002: "Set EA Size";
- case 0x0101: "Set File Basic Info";
- case 0x0102: "Set File Disposition Info";
- case 0x0103: "Set File Allocation Info";
- case 0x0104: "Set File EOF Info";
- case 0x0105: "Set File Ole Classid Info";
- case 0x0106: "Set File Ole State Bits Info";
- case 0x0107: "Set File ObjectID Info";
- case 0x0108: "Set File Content Index Info";
- case 0x0109: "Set File Inherit Content Index Info";
- case 0x010A: "Set File Ole Info";
- case 0x0200: "Set File Unix Basic";
- case 0x0201: "Set File Unix Link";
- case 0x0203: "Set File Unix HLink";
-
- // Larger than 1000 (0x03E8 SMB_INFO_PASSTHROUGH)
- case 0x03EC: "Set File Basic Info";
- case 0x03F2: "Set File Rename Info";
- case 0x03F3: "Set File Link Info";
- case 0x03F5: "Set File Disposition Info";
- case 0x03F6: "Set File Position Info";
- case 0x03F8: "Set File Mode Info";
- case 0x03FB: "Set File Allocation Info";
- case 0x03FC: "Set File End of File Info";
- case 0x03FF: "Set File Pipe Info";
- case 0x0401: "Set File Pipe Remote Info";
- case 0x0405: "Set File ObjectID Info";
- case 0x0408: "Set File Quota Info";
- case 0x040F: "Set Valid DataLength Info";
- case 0x0410: "Set Name Info";
- default: FormatString("0x%04X", level);
- }
- }
-
- Table SMBTrans2InfoLevelTable(subCommand, level)
- {
- switch(subCommand)
- {
- case 0x01: SMBTrans2FindInfoLevelTable(level);
- case 0x02: SMBTrans2FindInfoLevelTable(level);
- case 0x03: SMBTrans2QueryFSInfoLevelTable(level);
- case 0x04: SMBTrans2QueryFSInfoLevelTable(level);
- case 0x05: SMBTrans2QueryFileInfoLevelTable(level);
- case 0x06: SMBTrans2SetFileInfoLevelTable(level);
- case 0x07: SMBTrans2QueryFileInfoLevelTable(level);
- case 0x08: SMBTrans2SetFileInfoLevelTable(level);
- case 0x0F: SMBTrans2QueryFSInfoLevelTable(level);
- default: "Unhandled Transact2 Information Level";
- }
- }
-
- //netmon2 code, smbtab.c, line 1073
- Table SMBT2IOCtlCategoryTable(value)
- {
- switch(value)
- {
- case 1: FormatString("Comm Device %d(0x%X)", value, value);
- case 5: FormatString("Printer Device %d(0x%X)", value, value);
- case 11: FormatString("Character Device %d(0x%X)", value, value);
- default: FormatString("Unknown Device %d(0x%X)", value, value);
- }
- }
-
- //netmon2 code, smbtab.c, line 1084
- Table SMBT2IOCtlFunctionTable(category, value)
- {
- switch
- {
- case category == 0x01 && value == 0x41: FormatString("Set baud rate %d(0x%X)", value, value);
- case category == 0x01 && value == 0x42: FormatString("Set line control register %d(0x%X)", value, value);
- case category == 0x01 && value == 0x43: FormatString("Set flow control characters %d(0x%X)", value, value);
- case category == 0x01 && value == 0x44: FormatString("Transmit immediate %d(0x%X)", value, value);
- case category == 0x01 && value == 0x45: FormatString("Set break off %d(0x%X)", value, value);
- case category == 0x01 && value == 0x46: FormatString("Set modem control register %d(0x%X)", value, value);
- case category == 0x01 && value == 0x4b: FormatString("Set break on %d(0x%X)", value, value);
- case category == 0x01 && value == 0x4c: FormatString("Stop transmit %d(0x%X)", value, value);
- case category == 0x01 && value == 0x4d: FormatString("Start transmit %d(0x%X)", value, value);
- case category == 0x01 && value == 0x4e: FormatString("Set I/O behavior %d(0x%X)", value, value);
- case category == 0x01 && value == 0x52: FormatString("Set communications event %d(0x%X)", value, value);
- case category == 0x01 && value == 0x53: FormatString("Set device control block infomation %d(0x%X)", value, value);
- case category == 0x01 && value == 0x61: FormatString("Return current baud rate %d(0x%X)", value, value);
- case category == 0x01 && value == 0x62: FormatString("Return line control register %d(0x%X)", value, value);
- case category == 0x01 && value == 0x63: FormatString("Return flow control characters %d(0x%X)", value, value);
- case category == 0x01 && value == 0x65: FormatString("Return current line status %d(0x%X)", value, value);
- case category == 0x01 && value == 0x66: FormatString("Return modem control register %d(0x%X)", value, value);
- case category == 0x01 && value == 0x67: FormatString("Return current modem status %d(0x%X)", value, value);
- case category == 0x01 && value == 0x68: FormatString("Return number of characters in input queue %d(0x%X)", value, value);
- case category == 0x01 && value == 0x69: FormatString("Return number of characters in output queue %d(0x%X)", value, value);
- case category == 0x01 && value == 0x6b: FormatString("Return communications status %d(0x%X)", value, value);
- case category == 0x01 && value == 0x6d: FormatString("Return communications error %d(0x%X)", value, value);
- case category == 0x01 && value == 0x6e: FormatString("Return I/O control setting %d(0x%X)", value, value);
- case category == 0x01 && value == 0x72: FormatString("Return communication event mask %d(0x%X)", value, value);
- case category == 0x01 && value == 0x73: FormatString("Return device control information %d(0x%X)", value, value);
- case category == 0x05 && value == 0x42: FormatString("Set frame control %d(0x%X)", value, value);
- case category == 0x05 && value == 0x44: FormatString("Set infinite retry %d(0x%X)", value, value);
- case category == 0x05 && value == 0x46: FormatString("Initialize printer %d(0x%X)", value, value);
- case category == 0x05 && value == 0x48: FormatString("Activate font %d(0x%X)", value, value);
- case category == 0x05 && value == 0x62: FormatString("Return frame control %d(0x%X)", value, value);
- case category == 0x05 && value == 0x64: FormatString("Return infinite retry %d(0x%X)", value, value);
- case category == 0x05 && value == 0x66: FormatString("Return printer status %d(0x%X)", value, value);
- case category == 0x05 && value == 0x69: FormatString("Query active font %d(0x%X)", value, value);
- case category == 0x05 && value == 0x6a: FormatString("Verify font %d(0x%X)", value, value);
- case category == 0x0B && value == 0x01: FormatString("Flush input buffer %d(0x%X)", value, value);
- case category == 0x0B && value == 0x02: FormatString("Flush output buffer %d(0x%X)", value, value);
- case category == 0x0B && value == 0x60: FormatString("Query monitor support %d(0x%X)", value, value);
- default: FormatString("Unknown Function %d(0x%X)", value, value);
- }
- }
-
- struct SMBComTransaction2Request
- {
- UINT8 WordCount;
- UINT16 TotalParameterCount;
- UINT16 TotalDataCount;
- UINT16 MaxParameterCount;
- UINT16 MaxDataCount;
- UINT8 MaxSetupCount ;
- UINT8 Reserved;
- // reference CIFS-TR-1p00_FINAL.pdf , page 44
- [DataFieldByteOrder = LittleEndian]
- UINT16 Flags = Disconnect ? "Disconnect TID" : "Do NOT disconnect TID"
- {
- UINT16 Disconnect:1 = FormatString("(%s) %s", This.ToBitString, this ? "Disconnect TID" : "Do NOT disconnect TID");
- UINT16 NoResponse:1 = FormatString("(%s) %s", This.ToBitString, this ? "MUST NOT send a response back to the client" : " ");
- UINT16 Reserved:14 = FormatString(" (%s) Reserved", This.ToBitString);
- };
- UINT32 Timeout = FormatString("%d sec(s)",this);
- UINT16 Reserved2;
- UINT16 ParameterCount;
- UINT16 ParameterOffset;
- UINT16 DataCount;
- UINT16 DataOffset;
- UINT8 SetupCount;
- UINT8 Reserved3;
- //These are Setup Words
- [
- SMBSubCommand,
- SMBComSummary = SMBComSummary + ", " + SMBTrans2SubCommandTable(this),
- conversation.SMBSubCommandTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)]//save into SMB parent protocol conversation
- ]
- UINT16 SubCommand = FormatString("%s, %d(0x%04X)", SMBTrans2SubCommandTable(this), this, this);
- switch
- {
- case SubCommand == 0x09 && SetupCount >= 4:
- struct FSCTLSetupWords
- {
- UINT16 FileHandle;
- UINT16 FunctionCode;
- UINT16 RouteMethod;
- AsciiString((SetupCount-4)*2) RouteName;
- };
- case SubCommand == 0x0A && SetupCount == 4:
- struct IOCTL2SetupWords
- {
- UINT16 DeviceHandle;
- UINT16 DeviceCategory = SMBT2IOCtlCategoryTable(this);
- UINT16 DeviceFunction = SMBT2IOCtlFunctionTable(DeviceCategory, this);
- };
- case SetupCount > 1:
- UINT16 setupWord[SetupCount - 1];
- }
- [SMBBytesEndOffset = frameOffset + 2 + ByteCount]
- UINT16 ByteCount;
- switch
- {
- case CurrentProtocolOffset < ParameterOffset:
- BLOB(ParameterOffset - CurrentProtocolOffset) Pad1;
- }
- //
- // These are Transact2 Request parameters
- //
- switch (SubCommand)
- {
- case 0x00: //TRANS2_OPEN2
- struct Open2ParameterBlock
- {
- UINT16 Flags
- {
- UINT16 AdditionalInfo: 1 = FormatString(" (%s) %s", this.ToBitString, this ? "Return additional info(FileAttributes, DataSize, GrantedAccess, FileType, and DeviceState)" : "FileAttributes, DataSize, GrantedAccess, FileType, and DeviceState have indeterminate values and client ignores them");
- UINT16 ExclusiveOplock: 1 = FormatString("(%s) %s", this.ToBitString, this ? "Exclusive oplock requested" : "Exclusive oplock NOT requested");
- UINT16 BatchOplock: 1 = FormatString(" (%s) %s", this.ToBitString, this ? "Batch oplock requested" : "Batch oplock NOT requested");
- UINT16 EALength: 1 = FormatString(" (%s) %s", this.ToBitString, this ? "Return total length of EAs" : "Do NOT Return total length of EAs");
- UINT16 Reserved:12 = FormatString(" (%s) %s", this.ToBitString, "Reserved");
- };
- SMBAccessMode DesiredAccess;
- UINT16 Reserved1;
- SMBFileAttributes FileAttributes;
- SMBTIME CreationTime;
- SMBDATE CreationDate;
- SMBOpenFunction OpenMode;
- UINT32 AllocationSize;
- UINT16 Reserved [5];
- switch(Property.SMBUnicode)
- {
- case 0:
- _struct AsciiFileName
- {
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- AsciiString FileName;
- }
- case 1:
- _struct UnicodeFileName
- {
- ALIGN2 Align;
- [
- Property.SMBFileName = this ? FormatString("%s@#%u", this, FrameNumber + 1): FormatString("%s@#%u", NullFileName, FrameNumber + 1),
- Post.conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName),
- Post.Conversation.ConversationDescription = FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID),
- SMBComPramSummary = ", FileName = " + this
- ]
- UnicodeString FileName;
- }
- }
- }
- case 0x01: //TRANS2_FIND_FIRST2
- struct FindFirst2ParameterBlock
- {
- SMBFileAttributes SearchAttributes;
- UINT16 SearchCount;
- [DataFieldByteOrder = LittleEndian]
- UINT16 Flags
- {
- UINT16 CloseAfterRequest:1 = FormatString("(%s) %s", this.ToBitString, this ? "Close search after this request" : "Do NOT close search after this request");
- UINT16 CloseIfEndReached:1 = FormatString("(%s) %s", this.ToBitString, this ? "Close the search if the end of the search is reached" : "Do NOT close the search if the end of the search is reached");
- [conversation.SMBTransact2FindResumeKey$[MakeByteArray(SMBTID, SMBPID, SMBMID)]]
- UINT16 ReturnResumeKeys:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Return resume keys for each entry found" : "Don't Return resume keys for each entry found");
- UINT16 PreviousEnding:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Resume/control from previous ending place" : "Do NOT Resume/control from previous ending place");
- UINT16 BackupIntent:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Find with backup intent" : "find without backup intent");
- UINT16 Reserved:11 = FormatString(" (%s) %s", this.ToBitString, "Reserved");
- };
- [
- TransInformationLevel,
- SMBComSummary = SMBComSummary + ", " + SMBTrans2FindInfoLevelTable(this),
- conversation.SMBTransact2InformationLevelTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)]
- ]
- UINT16 InformationLevel = SMBTrans2FindInfoLevelTable(this);
- [
- BuildConversationWithParent(MakeByteArray(SMBTID, SMBPID, SMBMID)),
- Post.Conversation.ConversationDescription = FormatString("(TID:0x%04X, PID:0x%04X, MID:0x%04X) ConvID = %d", SMBTID, SMBPID, SMBMID, ConvID)
- ]
- UINT32 SearchStorageType = SMBSearchStorageTypeTable(this);
- [Post.SMBComPramSummary = ", Pattern = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) SearchPattern;
- }
- case 0x02: // TRANS2_FIND_NEXT2
- struct FindNext2ParameterBlock
- {
- UINT16 Sid;
- UINT16 SearchCount;
- [
- TransInformationLevel,
- SMBComSummary = SMBComSummary + ", " + SMBTrans2FindInfoLevelTable(this),
- conversation.SMBTransact2InformationLevelTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)]
- ]
- UINT16 InformationLevel = SMBTrans2FindInfoLevelTable(this);
- UINT32 ResumeKey;
- [DataFieldByteOrder = LittleEndian]
- UINT16 Flags
- {
- UINT16 CloseAfterRequest:1 = FormatString("(%s) %s", this.ToBitString, this ? "Close search after this request" : "Do NOT close search after this request");
- UINT16 CloseIfEndReached:1 = FormatString("(%s) %s", this.ToBitString, this ? "Close the search if the end of the search is reached" : "Do NOT close the search if the end of the search is reached");
- [conversation.SMBTransact2FindResumeKey$[MakeByteArray(SMBTID, SMBPID, SMBMID)]]
- UINT16 ReturnResumeKeys:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Return resume keys for each entry found" : "Don't Return resume keys for each entry found");
- UINT16 PreviousEnding:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Resume/control from previous ending place" : "Do NOT Resume/control from previous ending place");
- UINT16 BackupIntent:1 = FormatString(" (%s) %s", this.ToBitString, this ? "Find with backup intent" : "find without backup intent");
- UINT16 Reserved:11 = FormatString(" (%s) %s", this.ToBitString, "Reserved");
- };
- [
- BuildConversationWithParent(MakeByteArray(SMBTID, SMBPID, SMBMID)),
- Post.Conversation.ConversationDescription = FormatString("(TID:0x%04X, PID:0x%04X, MID:0x%04X) ConvID = %d", SMBTID, SMBPID, SMBMID, ConvID),
- Post.SMBComPramSummary = ", FileName = " + SMBFileNameValue
- ]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) FileName;
- }
- case 0x03: //TRANS2_QUERY_FS_INFORMATION
- case 0x0F: //TRANS2_QUERY_FS_INFORMATION_FID
- struct QueryFSInfoParameterBlock
- {
- [
- TransInformationLevel,
- SMBComSummary = SMBComSummary + ", " + SMBTrans2QueryFSInfoLevelTable(this),
- conversation.SMBTransact2InformationLevelTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)]
- ]
- UINT16 QueryInfoLevel = SMBTrans2QueryFSInfoLevelTable(this);
- switch(ParameterCount)
- {
- case 4:
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- conversation.SMBParaCountTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = ParameterCount,
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- }
- };
- case 0x04: //TRANS2_SET_FS_INFORMATION
- struct SetFSInfoParameterBlock
- {
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Conversation.SMBTransact2InformationLevelTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = UINT16(FrameData, FrameOffset + 2),
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- [
- TransInformationLevel,
- SMBComSummary = SMBComSummary + ", " + SMBTrans2QueryFSInfoLevelTable(this)
- ]
- UINT16 InformationLevel = SMBTrans2QueryFSInfoLevelTable(this);
- };
- case 0x05: //TRANS2_QUERY_PATH_INFORMATION
- struct QueryPathInfoParameterBlock
- {
- [
- TransInformationLevel,
- SMBComSummary = SMBComSummary + ", " + SMBTrans2QueryFileInfoLevelTable(this),
- conversation.SMBTransact2InformationLevelTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)]
- ]
- UINT16 InformationLevel = SMBTrans2QueryFileInfoLevelTable(this);
- [
- BuildConversationWithParent(MakeByteArray(SMBTID, SMBPID, SMBMID)),
- Post.Conversation.ConversationDescription = FormatString("(TID:0x%04X, PID:0x%04X, MID:0x%04X) ConvID = %d", SMBTID, SMBPID, SMBMID, ConvID)
- ]
- UINT32 Reserved;
- [Post.SMBComPramSummary = ", Pattern = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) Pattern;
- }
- case 0x06: // TRANS2_SET_PATH_INFORMATION
- struct SetPathInfoParameterBlock
- {
- [
- TransInformationLevel,
- SMBComSummary = SMBComSummary + ", " + SMBTrans2SetFileInfoLevelTable(this),
- conversation.SMBTransact2InformationLevelTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)]
- ]
- UINT16 InformationLevel = SMBTrans2SetFileInfoLevelTable(this);
- UINT32 Reserved;
- [Post.SMBComPramSummary = ", Path = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) PathName;
- }
- case 0x07: // TRANS2_QUERY_FILE_INFORMATION
- struct QueryFileInfoParameterBlock
- {
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Conversation.SMBTransact2InformationLevelTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = UINT16(FrameData, FrameOffset + 2),
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- [
- TransInformationLevel,
- SMBComSummary = SMBComSummary + ", " + SMBTrans2QueryFileInfoLevelTable(FileInfoLevel)
- ]
- UINT16 FileInfoLevel = SMBTrans2QueryFileInfoLevelTable(this);
- }
- case 0x08: //TRANS2_SET_FILE_INFORMATION
- struct SetFileInfoParameterBlock
- {
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Conversation.SMBTransact2InformationLevelTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = UINT16(FrameData, FrameOffset + 2),
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- [
- TransInformationLevel,
- SMBComSummary = SMBComSummary + ", " + SMBTrans2SetFileInfoLevelTable(InformationLevel)
- ]
- UINT16 InformationLevel = SMBTrans2SetFileInfoLevelTable(this);
- UINT16 Reserved;
- // documentation and captured data doesn't match to parse from here
- }
- case 0x0D: //TRANS2_CREATE_DIRECTORY
- struct CreateDirectoryParameterBlock
- {
- UINT32 Reserved;
- [Post.SMBComPramSummary = ", Dir = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) DirectoryName;
- };
- case 0x10: //TRANS2_GET_DFS_REFERRAL
- [
- DataFieldFrameLength = SMBBytesEndOffset,
- BuildConversationWithParent(MakeByteArray(SMBTID, SMBPID, SMBMID)),
- Post.Conversation.ConversationDescription = FormatString("(TID:0x%04X, PID:0x%04X, MID:0x%04X) ConvID = %d", SMBTID, SMBPID, SMBMID, ConvID)
- ]
- DFSC Dfsc;
- case 0x11: //TRANS2_REPORT_DFS_INCONSISTENCY
- struct ReportDFSInconsistencyParameterBlock
- {
- [Post.SMBComPramSummary = ", RequestFileName = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) FileName;
- };
- default:
- _struct ErrorParameterBlock
- {
- switch
- {
- case frameOffset < SMBBytesEndOffset &&
- frameOffset < frameLength &&
- ParameterCount > 0:
- BLOB(ParameterCount > SMBBytesEndOffset-offset ? SMBBytesEndOffset-offset : ParameterCount) Parameters;
- }
- }
- }
- switch
- {
- case frameOffset < SMBBytesEndOffset &&
- frameOffset < frameLength &&
- CurrentProtocolOffset < DataOffset:
- BLOB(DataOffset-CurrentProtocolOffset > SMBBytesEndOffset-offset ? SMBBytesEndOffset-offset : DataOffset-CurrentProtocolOffset) Pad2;
- }
- //
- // These are Transact2 Request Datas
- //
- [conversation.SMBSubCommandTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = SubCommand,// save into SMB conversation
- conversation.SMBTransact2InformationLevelTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)] = TransInformationLevel]// save into SMB conversation
- switch (SubCommand)
- {
- case 0x00: // TRANS2_OPEN2
- //This is the EAList[*]
- SMBFEAList FEAList;
- case 0x01: //TRANS2_FIND_FIRST2
- case 0x02: //TRANS2_FIND_NEXT2
- case 0x05: //TRANS2_QUERY_PATH_INFORMATION
- case 0x07: //TRANS2_QUERY_FILE_INFORMATION
- switch
- {
- case TransInformationLevel == 0x0003:
- //This is the EAList[*]
- SMBGEAList GetExtendedAttributeList;
- }
- case 0x04: //TRANS_SET_FS_INFORMATION
- SMBTrans2FSInfoDataBlock(TransInformationLevel) SetFSInfoDataBlock;
- case 0x06: // TRANS2_SET_PATH_INFORMATION
- case 0x08: // TRANS2_SET_FILE_INFORMATION
- switch(TransInformationLevel)
- {
- case 0x0001: // SMB_INFO_STANDARD
- case 0x0002: // SMB_INFO_SET_EAS
- SMBFEAList ExtendedAttributeList2;
- case 0x0101: // SMB_QUERY_FILE_BASIC_INFO
- case 0x03EC: // FileBasicInformation
- SMBTrans2FileBasicInfo FileBasicDataBlock;
- case 0x0102: // SMB_SET_FILE_DISPOSITION_INFO
- case 0x03F5: // FileDispositionInformation
- _struct FileDispositionInfoDataBlock
- {
- BOOLEAN DeleteFile;
- };
- case 0x0103: // SMB_SET_FILE_ALLOCATION_INFO
- case 0x03FB: // FileAllocationInformation
- _struct FileAllocationInfoDataBlock
- {
- SMBLargeInteger AllocationSize;
- };
- case 0x0104: // SMB_SET_FILE_END_OF_FILE_INFO
- case 0x03FC: // FileEndOfFileInformation
- _struct FileEndOfFileInfoDataBlock
- {
- SMBLargeInteger EndOfFile;
- };
- case 0x0200: // SMB_QUERY_FILE_UNIX_BASIC
- SMBTrans2FileUnixBasicInfo FileUnixBasicInfoDataBlock;
- case 0x0201: // SMB_QUERY_FILE_UNIX_LINK
- case 0x0203: // SMB_QUERY_FILE_UNIX_HLINK
- [Post.SMBComPramSummary = ", Link Destination = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) LinkDest;
- case 0x03F2: // FileRenameInformation
- FSCCFileRenameInformationForSMB FileRenameInfoDataBlock;
- case 0x03F3: // FileLinkInformation
- FSCCFileLinkInformationForSMB FileLinkInfoDataBlock;
- case 0x03F6: // FilePositionInformation
- _struct FilePositionInfoDataBlock
- {
- UINT64 CurrentByteOffset;
- };
- case 0x03F8: // FileModeInformation
- _struct FileModeInfoDataBlock
- {
- UINT32 Mode
- {
- UINT32 Reserved1:1 = FormatString(" (%s) UnUsed",this.ToBitString);
- UINT32 WriteThrough:1 = FormatString(" (%s) %s",this.ToBitString,this ? "Data is written to file before the driver completes a write request" : "Data is NOT written to file before the driver completes a write request");
- UINT32 SequentialOnly:1 = FormatString("(%s) %s",this.ToBitString,this ? "All access to the file is sequential" : "NOT All access to the file is sequential");
- UINT32 Reserved2:1 = FormatString(" (%s) UnUsed",this.ToBitString);
- UINT32 SynIOAlert:1 = FormatString(" (%s) %s",this.ToBitString,this ? "All operations on the file are performed synchronously" : "NOT All operations on the file are performed synchronously");
- UINT32 SynIONonalert:1 = FormatString(" (%s) %s",this.ToBitString,this ? "All operations on the file are to be performed synchronously" :"NOT All operations on the file are to be performed synchronously");
- UINT32 Reserved3:26 = FormatString(" (%s) UnUsed",this.ToBitString);
- };
- };
- case 0x03FF: // FilePipeInformation
- SMBTrans2FilePipeInfo FilePipeInfoDataBlock;
- case 0x0401: // FilePipeRemoteInformation
- SMBTrans2FilePipeRemoteInfo FilePipeRemoteInfoDataBlock;
- case 0x0405: // FileObjectIDInformation
- SMBTrans2FileObjectIDInfo FileObjectIDInfoDataBlock;
- case 0x0408: // FileQuotaInformation
- [SmbRTransact2NxtEntryOffset = FrameOffset]
- While FileQuotaInfo[FrameOffset + 8 < FrameLength && SmbRTransact2NxtEntryOffset == FrameOffset]
- {
- SMBFileQuotaInfo QuotaInfo;
- };
- case 0x040F: // FileValidDataLengthInformation
- _struct FileValidDataLengthInfoDataBlock
- {
- UINT64 ValidDataLength;
- };
- case 0x0410: // FileNameInformation
- SMBTrans2FileNameInfo NameInfoDataBlock;
- //case 0x0105: //SMB_SET_FILE_OLE_CLASSID_INFO
- //case 0x0106: //SMB_SET_FILE_OLE_STATE_BITS_INFO
- //case 0x0107: //SMB_SET_FILE_OBJECTID_INFO
- //case 0x0108: //SMB_SET_FILE_CONTENT_INDEX_INFO
- //case 0x0109: //SMB_SET_FILE_INHERIT_CONTENT_INDEX_INFO
- //case 0x010A: //SMB_SET_FILE_OLE_INFO
- default:
- _struct ErrorDataBlock
- {
- SMBReportUnknownInfoLevel(TransInformationLevel) WarningErrorInfo;
- BLOB(FrameLength - FrameOffset) Data;
- };
- }
- case 0x0E: //#? TRANS2_SESSION_SETUP
- struct SessionSetupDataBlock
- {
- UINT8 WordCount;
- UINT8 Pad;
- UINT16 MaxBufferSize;
- UINT16 MaxMpxCount;
- UINT16 VcNumber;
- UINT32 SessionKey;
- SMBCapability Capabilities;
- UINT32 SecurityBlobLength;
- SMBSecurityBlob(SecurityBlobLength) SecurityBlob;
- [Post.SMBComPramSummary = ", UserName = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) UserName;
- }
- case 0x0D: // TRANS2_CREATE_DIRECTORY
- //This is the EAList[*]
- SMBFEAList ExtendedAttributeList1;
- default:
- switch
- {
- case DataCount > 0:
- _struct ErrorDataBlock
- {
- ReportParserError(ParserErrorProtocolClassWindows, "SMB", FormatString("Unknown SMB Transaction2 Response Data, SubCommand = 0x%X", SubCommand)) Trans2ResponseDataError;
- BLOB(DataCount) Data;
- }
- }
- }
- switch
- {
- case frameOffset < frameLength &&
- frameOffset < SMBBytesEndOffset:
- BLOB(SMBBytesEndOffset - frameOffset > frameLength - frameOffset ? frameLength - frameOffset : SMBBytesEndOffset - frameOffset) Pad;
- }
- }
-
- // [MS-CIFS] 2.2.1.2.2 SMB_FEA
- struct SMBFEA = AttributeName
- {
- UINT8 ExtendedAttributeFlag;
- UINT8 AttributeNameLengthInBytes;
- UINT16 AttributeValueLengthInBytes;
- AsciiString(AttributeNameLengthInBytes + 1) AttributeName;
- AsciiString(AttributeValueLengthInBytes) ValueName;
- }
-
- [Property.SMBInterimResponse = true]
- struct SMBComInterimTransaction2Resp
- {
- [
- conversation.SMBSubCommandPerFrame$[FrameNumber] = conversation.SMBSubCommandTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBSubCommand = conversation.SMBSubCommandPerFrame$[FrameNumber],
- SMBComSummary = SMBComSummary + ", " + SMBTrans2SubCommandTable(Property.SMBSubCommand),
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = conversation.SMBFileIDPerFrame$[FrameNumber]
- ]
- UINT8 WordCount;
- switch
- {
- case !conversation.SMB.Id:
- [
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- _struct _BuildConversation{};
- }
- UINT16 ByteCount;
- }
-
-
- Table SMBFileTypeTable( type )
- {
- switch( type )
- {
- case 0: "FileTypeDisk: Disk file or directory as defined in the attribute field";
- case 1: "FileTypeByteModePipe: Named pipe in byte mode";
- case 2: "FileTypeMessageModePipe: Named pipe in message mode";
- case 3: "FileTypePrinter: Spooled printer";
- case 4: "FileTypeCommDevice: Communications device";
- case 0xFFFF: "FileTypeUnknown: Unrecognized resource type";
- default: "Unhandled file type";
- }
- }
-
- struct SMBComTransaction2SecondaryRequest
- {
- [
- conversation.SMBSubCommandPerFrame$[FrameNumber] = conversation.SMBSubCommandTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBSubCommand = conversation.SMBSubCommandPerFrame$[FrameNumber]
- ]
- UINT8 WordCount = MUSTBeSetToTable( this, "0x09");
- UINT16 TotalParameterCount;
- UINT16 TotalDataCount;
- UINT16 ParameterCount;
- UINT16 ParameterOffset;
- UINT16 ParameterDisplacement;
- UINT16 DataCount;
- UINT16 DataOffset;
- UINT16 DataDiaplacement;
- [
- conversation.SMBFileIDPerFrame$[FrameNumber] = conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- SMBFileID = this == 0xFFFF ? conversation.SMBFileIDPerFrame$[FrameNumber] : this,
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.Property.SMBFileName = conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)],
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- [SMBBytesEndOffset = frameOffset + 2 + ByteCount]
- UINT16 ByteCount;
- switch
- {
- case ParameterOffset > CurrentProtocolOffset:
- BLOB(ParameterOffset - CurrentProtocolOffset) Pad1;
- }
- switch
- {
- case ParameterCount > 0:
- BLOB(ParameterCount) Parameters;
- }
- switch
- {
- case DataOffset > CurrentProtocolOffset:
- BLOB(DataOffset-CurrentProtocolOffset) Pad2;
- }
- switch
- {
- case DataCount > 0:
- BLOB(DataCount > frameLength - frameOffset ? frameLength - frameOffset : DataCount) Datas;
-
- }
- switch
- {
- case frameOffset < frameLength &&
- frameOffset < SMBBytesEndOffset:
- BLOB(SMBBytesEndOffset - frameOffset > frameLength - frameOffset ? frameLength - frameOffset : SMBBytesEndOffset - frameOffset) Pad;
- }
- }
-
- Table SMBDeviceTypeTable(type)
- {
- switch(type)
- {
- case 0x00000001: "FILE_DEVICE_BEEP";
- case 0x00000002: "FILE_DEVICE_CD_ROM";
- case 0x00000003: "FILE_DEVICE_CD_ROM_FILE_SYSTEM";
- case 0x00000004: "FILE_DEVICE_CONTROLLER";
- case 0x00000005: "FILE_DEVICE_DATALINK";
- case 0x00000006: "FILE_DEVICE_DFS";
- case 0x00000007: "FILE_DEVICE_DISK";
- case 0x00000008: "FILE_DEVICE_DISK_FILE_SYSTEM";
- case 0x00000009: "FILE_DEVICE_FILE_SYSTEM";
- case 0x0000000A: "FILE_DEVICE_INPORT_PORT";
- case 0x0000000B: "FILE_DEVICE_KEYBOARD";
- case 0x0000000C: "FILE_DEVICE_MAILSLOT";
- case 0x0000000D: "FILE_DEVICE_MIDI_IN";
- case 0x0000000E: "FILE_DEVICE_MIDI_OUT";
- case 0x0000000F: "FILE_DEVICE_MOUSE";
- case 0x00000010: "FILE_DEVICE_MULTI_UNC_PROVIDER";
- case 0x00000011: "FILE_DEVICE_NAMED_PIPE";
- case 0x00000012: "FILE_DEVICE_NETWORK";
- case 0x00000013: "FILE_DEVICE_NETWORK_BROWSER";
- case 0x00000014: "FILE_DEVICE_NETWORK_FILE_SYSTEM";
- case 0x00000015: "FILE_DEVICE_NULL";
- case 0x00000016: "FILE_DEVICE_PARALLEL_PORT";
- case 0x00000017: "FILE_DEVICE_PHYSICAL_NETCARD";
- case 0x00000018: "FILE_DEVICE_PRINTER";
- case 0x00000019: "FILE_DEVICE_SCANNER";
- case 0x0000001A: "FILE_DEVICE_SERIAL_MOUSE_PORT";
- case 0x0000001B: "FILE_DEVICE_SERIAL_PORT";
- case 0x0000001C: "FILE_DEVICE_SCREEN";
- case 0x0000001D: "FILE_DEVICE_SOUND";
- case 0x0000001E: "FILE_DEVICE_STREAMS";
- case 0x0000001F: "FILE_DEVICE_TAPE";
- case 0x00000020: "FILE_DEVICE_TAPE_FILE_SYSTEM";
- case 0x00000021: "FILE_DEVICE_TRANSPORT";
- case 0x00000022: "FILE_DEVICE_UNKNOWN";
- case 0x00000023: "FILE_DEVICE_VIDEO";
- case 0x00000024: "FILE_DEVICE_VIRTUAL_DISK";
- case 0x00000025: "FILE_DEVICE_WAVE_IN";
- case 0x00000026: "FILE_DEVICE_WAVE_OUT";
- case 0x00000027: "FILE_DEVICE_8042_PORT";
- case 0x00000028: "FILE_DEVICE_NETWORK_REDIRECTOR";
- case 0x00000029: "FILE_DEVICE_BATTERY";
- case 0x0000002A: "FILE_DEVICE_BUS_EXTENDER";
- case 0x0000002B: "FILE_DEVICE_MODEM";
- case 0x0000002C: "FILE_DEVICE_VDM";
- default: "Unhandled Device Type";
- }
- }
-
- Table SMBAlignmentRequirementTable(type)
- {
- switch(type)
- {
- case 0x00000000: "FILE_BYTE_ALIGNMENT";
- case 0x00000001: "FILE_WORD_ALIGNMENT";
- case 0x00000003: "FILE_LONG_ALIGNMENT";
- case 0x00000007: "FILE_QUAD_ALIGNMENT";
- case 0x0000000F: "FILE_OCTA_ALIGNMENT";
- case 0x0000001F: "FILE_32_BYTE_ALIGNMENT";
- case 0x0000003F: "FILE_64_BYTE_ALIGNMENT";
- case 0x0000007F: "FILE_128_BYTE_ALIGNMENT";
- case 0x000000FF: "FILE_256_BYTE_ALIGNMENT";
- case 0x000001FF: "FILE_512_BYTE_ALIGNMENT";
- Default: "Unhandled Alignment";
- }
- }
-
- Table SMBDirStorageTypeTable(type)
- {
- switch(type)
- {
- case 1: FormatString("Default, %d(0x%X)", type, type);
- case 2: FormatString("Directory, %d(0x%X)", type, type);
- case 3: FormatString("File, %d(0x%X)", type, type);
- case 5: FormatString("DFS Junction Point, %d(0x%X)", type, type);
- case 6: FormatString("Catalog, %d(0x%X)", type, type);
- case 7: FormatString("Structured Storage, %d(0x%X)", type, type);
- case 8: FormatString("Embedding, %d(0x%X)", type, type);
- case 9: FormatString("Stream, %d(0x%X)", type, type);
- default: FormatString("Unhandled Storage Type, %d(0x%X)", type, type);
- }
- }
-
- Table SMBFileCompressionFormatTable(format)
- {
- switch(format)
- {
- case 0x0000: FormatString("There is no compression %d(%#x)", format, format);
- case 0x0002: FormatString("Compression format is LZNT %d(%#x)", format, format);
- default: FormatString("Unknown Compression format %d(%#x)", format, format);
- }
- }
-
- struct SMBFileStandardInfo(ResumeKeyExist, UnicodeName) = this.FileName.ToString
- {
- [StructBaseOffset = FrameOffset]
- switch
- {
- case ResumeKeyExist:
- UINT32 FindResumeKey;
- }
- SMBDATE CreationDate;
- SMBTIME CreationTime;
- SMBDATE LastAccessDate;
- SMBTIME LastAccessTime;
- SMBDATE LastWriteDate;
- SMBTIME LastWriteTime;
- UINT32 DataSize;
- UINT32 AllocationSize;
- SMBFileAttributes Attributes;
- UINT8 FileNameLength;
- struct FileName = SMBFileNameValue
- {
- switch( UnicodeName )
- {
- case 0:
- [SMBFileNameValue]
- AsciiString( FileNameLength) AsciiName;
- case 1:
- [SMBFileNameValue]
- UnicodeString( FileNameLength/2) UnicodeName;
- }
- }
- [SmbRTransact2NxtEntryOffset = FrameOffset]
- _struct SetNxtEntryOffset{};
- }
-
- struct SMBFileEASizeInfo(ResumeKeyExist, UnicodeName) = SMBFileNameValue
- {
- [StructBaseOffset = FrameOffset]
- switch
- {
- case ResumeKeyExist:
- UINT32 ResumeKey;
- }
- SMBDATE CreationDate;
- SMBTIME CreationTime;
- SMBDATE LastAccessDate;
- SMBTIME LastAccessTime;
- SMBDATE LastWriteDate;
- SMBTIME LastWriteTime;
- UINT32 FileDataSize;
- UINT32 AllocationSize;
- SMBFileAttributes Attributes;
- UINT32 EaSize;
- UINT8 FileNameLength;
- struct FileName = SMBFileNameValue
- {
- switch( UnicodeName )
- {
- case 0:
- [SMBFileNameValue]
- AsciiString( FileNameLength ) AsciiName;
- case 1:
- [SMBFileNameValue]
- UnicodeString( FileNameLength/2 ) UnicodeName;
- }
- }
- CHAR FileNameTerminator;
- [SmbRTransact2NxtEntryOffset = FrameOffset]
- _struct SetNxtEntryOffset{};
- }
-
- struct SMBFileEASFromList(ResumeKeyExist, UnicodeName) = SMBFileNameValue
- {
- [StructBaseOffset = FrameOffset]
- switch
- {
- case ResumeKeyExist:
- UINT32 ResumeKey;
- }
- SMBDATE CreationDate;
- SMBTIME CreationTime;
- SMBDATE LastAccessDate;
- SMBTIME LastAccessTime;
- SMBDATE LastWriteDate;
- SMBTIME LastWriteTime;
- UINT32 FileDataSize;
- UINT32 AllocationSize;
- SMBFileAttributes Attributes;
- SMBFEAList ExtendedAttributeList;
- UINT8 FileNameLength = UnicodeName? FormatString("%u - an arbitrary value", this) : this;
- Struct FileName = SMBFileNameValue
- {
- switch( UnicodeName )
- {
- case 0:
- [SMBFileNameValue]
- AsciiString( FileNameLength ) AsciiName;
- case 1:
- [SMBFileNameValue]
- UnicodeString( FileNameLength / 2 ) UnicodeName;
- }
- }
- CHAR FileNameTerminator;
- [SmbRTransact2NxtEntryOffset = FrameOffset]
- _struct SetNxtEntryOffset{};
- }
- //SMB_FIND_FILE_DIRECTORY_INFO
- struct SMBFileDirInfo(UnicodeName) = this.FileName.ToString
- {
- [
- StructBaseOffset = FrameOffset,
- SmbRTransact2NxtEntryOffset = frameOffset + this
- ]
- UINT32 NextEntryOffset;
- UINT32 FileIndex;
- FILETIME CreationTime;
- FILETIME LastAccessTime;
- FILETIME LastWriteTime;
- FILETIME LastAttrChangeTime;
- SMBLargeInteger EndOfFile;
- SMBLargeInteger AllocationSize;
- SMBNTFileAttributes ExtFileAttributes;
- UINT32 FileNameLength;
- Struct FileName = SMBFileNameValue
- {
- switch( UnicodeName )
- {
- case 0:
- [SMBFileNameValue]
- AsciiString( FileNameLength ) AsciiName;
- case 1:
- [SMBFileNameValue]
- UnicodeString( FileNameLength/2 ) UnicodeName;
- }
- }
- switch
- {
- case frameOffset < SmbRTransact2NxtEntryOffset:
- BLOB(SmbRTransact2NxtEntryOffset - frameOffset) EntryPad;
- }
- }
-
- //SMB_FIND_FILE_FULL_DIRECTORY_INFO
- struct SMBFileFullDirInfo(UnicodeName) = this.FileName.ToString
- {
- [
- StructBaseOffset = FrameOffset,
- SmbRTransact2NxtEntryOffset = frameOffset + this
- ]
- UINT32 NextEntryOffset;
- UINT32 FileIndex;
- FILETIME CreationTime;
- FILETIME LastAccessTime;
- FILETIME LastWriteTime;
- FILETIME ChangeTime;
- SMBLargeInteger EndOfFile;
- SMBLargeInteger AllocationSize;
- SMBNTFileAttributes FileAttributes;
- UINT32 FileNameLength;
- UINT32 EaSize;
- Struct FileName = SMBFileNameValue
- {
- switch( UnicodeName )
- {
- case 0:
- [SMBFileNameValue]
- AsciiString( FileNameLength ) AsciiName;
- case 1:
- [SMBFileNameValue]
- UnicodeString( FileNameLength/2 ) UnicodeName;
- }
- }
- switch
- {
- case frameOffset < SmbRTransact2NxtEntryOffset:
- BLOB(SmbRTransact2NxtEntryOffset - frameOffset) EntryPad;
- }
- }
-
- //SMB_FIND_FILE_NAMES_INFO
- struct SMBFileNamesInfo(UnicodeName) = this.FileName.ToString
- {
- [
- StructBaseOffset = FrameOffset,
- SmbRTransact2NxtEntryOffset = frameOffset + this
- ]
- UINT32 NextEntryOffset;
- UINT32 FileIndex;
- UINT32 FileNameLength;
- Struct FileName = SMBFileNameValue
- {
- switch( UnicodeName )
- {
- case 0:
- [SMBFileNameValue]
- AsciiString( FileNameLength ) AsciiValue;
- case 1:
- [SMBFileNameValue]
- UnicodeString( FileNameLength / 2 ) UnicodeValue;
- }
- }
- switch
- {
- case frameOffset < SmbRTransact2NxtEntryOffset:
- BLOB(SmbRTransact2NxtEntryOffset - frameOffset) EntryPad;
- }
- }
-
- //SMB_FIND_FILE_BOTH_DIRECTORY_INFO for Previous File Version Enumeration
- struct SmbFindFileBothDirectoryInfoPrevFile(UnicodeName) = this.FileName.ToString
- {
- [
- StructBaseOffset = FrameOffset,
- SmbRTransact2NxtEntryOffset = frameOffset + this
- ]
- UINT32 NextEntryOffset;
- UINT32 FileIndex;
- FILETIME CreationTime;
- FILETIME LastAccessTime;
- FILETIME LastWriteTime;
- FILETIME ChangeTime;
- SMBLargeInteger EndOfFile;
- SMBLargeInteger AllocationSize;
- SMBNTFileAttributes FileAttributes;
- UINT32 FileNameLength;
- UINT32 EaSize;
- UINT8 ShortNameLength;
- Blob(1) Reserved;
- UnicodeString(12) ShortName;
- SMBFileNameString(SMBUnicode, true, FileNameLength, ProtocolOffset) FileName;
- switch
- {
- case frameOffset < SmbRTransact2NxtEntryOffset:
- BLOB(SmbRTransact2NxtEntryOffset - frameOffset) EntryPad;
- }
- }
-
- //struct SMBFileOLEDirInfo(UnicodeName) = this.FileName.ToString
- //{
- // [
- // StructBaseOffset = FrameOffset,
- // SmbRTransact2NxtEntryOffset = frameOffset + this
- // ]
- // UINT32 NextEntryOffset;
- // UINT32 FileIndex;
- // FILETIME CreationTime;
- // FILETIME LastAccessTime;
- // FILETIME LastWriteTime;
- // FILETIME ChangeTime;
- // UINT64 EndOfFile;
- // UINT64 AllocationSize;
- // SMBNTFileAttributes FileAttributes;
- // UINT32 FileNameLength;
- // UINT32 StorageType = SMBDirStorageTypeTable(this); //#? DataType
- // GUID(false) OleClassId;
- // UINT32 OleStateBits;
- // BOOLEAN ContentIndexDisable;
- // BOOLEAN InheritContentIndexDisable;
- // SMBFileNameString(UnicodeName, TRUE, FileNameLength, StructBaseOffset) FileName;
- // switch
- // {
- // case frameOffset < SmbRTransact2NxtEntryOffset:
- // BLOB(SmbRTransact2NxtEntryOffset - frameOffset) EntryPad;
- // }
- //}
-
- //SMB_FIND_FILE_ID_FULL_DIRECTORY_INFO
- struct SmbFindFileIdFullDirectoryInfo(UnicodeName) = this.FileName.ToString
- {
- [
- StructBaseOffset = FrameOffset,
- SmbRTransact2NxtEntryOffset = frameOffset + this
- ]
- UINT32 NextEntryOffset;
- UINT32 FileIndex;
- FILETIME CreationTime;
- FILETIME LastAccessTime;
- FILETIME LastWriteTime;
- FILETIME LastChangeTime;
- SMBLargeInteger EndOfFile;
- SMBLargeInteger AllocationSize;
- SMBNTFileAttributes ExtFileAttributes;
- UINT32 FileNameLength;
- UINT32 EaSize;
- SMBLargeInteger FileId;
- SMBFileNameString(UnicodeName, TRUE, FileNameLength, StructBaseOffset) FileName;
- switch
- {
- case frameOffset < SmbRTransact2NxtEntryOffset:
- BLOB(SmbRTransact2NxtEntryOffset - frameOffset) EntryPad;
- }
- }
-
- //SMB_FIND_FILE_ID_BOTH_DIRECTORY_INFO
- struct SmbFindFileIdBothDirectoryInfo(UnicodeName) = this.FileName.ToString
- {
- [
- StructBaseOffset = FrameOffset,
- SmbRTransact2NxtEntryOffset = frameOffset + this
- ]
- UINT32 NextEntryOffset;
- UINT32 FileIndex;
- FILETIME CreationTime;
- FILETIME LastAccessTime;
- FILETIME LastWriteTime;
- FILETIME LastChangeTime;
- SMBLargeInteger EndOfFile;
- SMBLargeInteger AllocationSize;
- SMBNTFileAttributes ExtFileAttributes;
- UINT32 FileNameLength;
- UINT32 EaSize;
- UINT8 ShortNameLength;
- ALIGN(StructBaseOffset, 2) Align2;
- SMBFileNameString(SMBUnicode, TRUE, 24, StructBaseOffset) ShortName;
- ALIGN(StructBaseOffset, 8) Align8;
- SMBLargeInteger FileID;
- SMBFileNameString(UnicodeName, TRUE, FileNameLength, StructBaseOffset) FileName;
- switch
- {
- case frameOffset < SmbRTransact2NxtEntryOffset:
- BLOB(SmbRTransact2NxtEntryOffset - frameOffset) EntryPad;
- }
- }
-
- struct SMBFileFullEAInfo(UnicodeName) = EAName.ToString
- {
- [
- StructBaseOffset = FrameOffset,
- SmbRTransact2NxtEntryOffset = frameOffset + this
- ]
- UINT32 NextEntryOffset;
- UINT8 Flags;
- UINT8 EaNameLength;
- UINT16 EaValueLength;
- SMBFileNameString(UnicodeName, TRUE, EaNameLength, StructBaseOffset) EAName;
- switch
- {
- case frameOffset < SmbRTransact2NxtEntryOffset:
- BLOB(SmbRTransact2NxtEntryOffset - frameOffset) EntryPad;
- }
- }
-
- //NT_TRANSACT_SET_QUOTA or NT_TRANSACT_QUERY_QUOTA
- struct SMBFileQuotaInfo = this.Sid.ToString
- {
- [
- StructBaseOffset = FrameOffset,
- SmbRTransact2NxtEntryOffset = frameOffset + this
- ]
- UINT32 NextEntryOffset;
- UINT32 SidLength;
- FILETIME ChangeTime;
- SMBLargeInteger QuotaUsed;
- SMBLargeInteger QuotaThreshold;
- SMBLargeInteger QuotaLimit;
- Switch
- {
- case SidLength > 0:
- SID(FALSE) Sid;
- }
- switch
- {
- case frameOffset < SmbRTransact2NxtEntryOffset:
- BLOB(SmbRTransact2NxtEntryOffset - frameOffset) EntryPad;
- }
- }
-
- struct SMBComTransaction2Resp
- {
- [
- SMBComSummary = SMBComSummary + ((ConvID > 0) ? (", " + SMBTrans2SubCommandTable(SMBSubCommand)) : ""),
- SMBComSummary = SMBComSummary + ((SMBSubCommand >= 1 && SMBSubCommand <= 8)||SMBSubCommand == 0x0F ? ", " + SMBTrans2InfoLevelTable(SMBSubCommand, TransInformationLevel) : "")
- ]
- UINT8 WordCount;
- UINT16 TotalParameterCount;
- UINT16 TotalDataCount;
- UINT16 Reserved;
- UINT16 ParameterCount;
- UINT16 ParameterOffset;
- UINT16 ParamDisplacement;
- UINT16 DataCount;
- [Post.DataEndOffset = ProtocolOffset + DataOffset + DataCount]
- UINT16 DataOffset;
- UINT16 DataDisplacement;
- // Here, SerupCount will always be 0
- UINT8 SetupCount;
- UINT8 Reserved2;
- switch
- {
- case SetupCount > 0:
- _struct ErrorSetupWords
- {
- // ReportParserError(ParserErrorProtocolClassWindows, "SMB", "Setupcount in SMB Transaction2 Response should always be 0") SetupCountError;
- UINT16 Setup[SetupCount];
- }
- }
- [SMBBytesEndOffset = frameOffset + 2 + ByteCount]
- UINT16 ByteCount;
- switch
- {
- case frameOffset < SMBBytesEndOffset &&
- frameOffset < frameLength &&
- CurrentProtocolOffset < ParameterOffset:
- BLOB(ParameterOffset-CurrentProtocolOffset > SMBBytesEndOffset-offset ? SMBBytesEndOffset-offset : ParameterOffset-CurrentProtocolOffset) Pad1;
- }
- [SMBT2ParameterEndOffset = frameOffset + ParameterCount]
- //
- // These are Transaction2 Response Parameter Block
- //
- switch
- {
- case frameOffset < SMBBytesEndOffset &&
- frameOffset < frameLength &&
- ParamDisplacement == 0 &&
- ParameterCount > 0:
- switch
- {
- case !(ConvID > 0):
- _struct ReportWarning
- {
- ReportParserWarning( "SMB", "May not parse correctly when conversation off") ParserWarning;
- BLOB(ParameterCount > SMBBytesEndOffset-offset ? SMBBytesEndOffset-offset : ParameterCount) Parameters;
- };
- case SMBSubCommand == 0x00: //TRANS2_OPEN2
- struct Open2ParameterBlock
- {
- [
- SMBFileID,
- conversation.SMBFileIDTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- conversation.SMBFileNamePerFrame$[FrameNumber] = conversation.SMBFileNameTable$[MakeByteArray(SMBTID, SMBPID, SMBMID)],
- Property.SMBFileName = conversation.SMBFileNamePerFrame$[FrameNumber],
- Post.conversation.SMBFileIDCount$[SMBFileID] = conversation.SMBFileIDCount$[SMBFileID] + 1,
- Post.conversation.SMBFileIDCountTable$[FrameNumber] = conversation.SMBFileIDCount$[SMBFileID],
- Post.SMBFIDCount = conversation.SMBFileIDCountTable$[FrameNumber],
- Post.conversation.SMBFileNameMVS$[MakeByteArray(SMBTID, SMBFileID, SMBFIDCount)] = Property.SMBFileName,
- Post.BuildConversationWithParent(Property.SMBFileName ? Property.SMBFileName : MakeByteArray(SMBFileID, SMBFIDCount)),
- Post.Conversation.ConversationDescription = Property.SMBFileName ? FormatString("(FileName: %s) ConvID = %d", Property.SMBFileName, ConvID) : FormatString("(FID: 0x%04X) ConvID = %d", SMBFileID, ConvID),
- Post.SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")
- ]
- UINT16 FileID;
- SMBFileAttributes FileAttributes;
- SMBTIME CreationTime;
- SMBDATE CreationDate;
- UINT32 FileDataSize;
- SMBAccessMode GrantedAccess;
- UINT16 FileType = SMBFileTypeTable(this);
- switch(FileType)
- {
- case 1:
- case 2:
- SMBDeviceState DeviceState;
- default:
- UINT16 FileStatus
- {
- UINT16 NoEAs:1 = FormatString(" (%s) File or Directory has %sextended attributes (NO_EAS)", this.ToBitString, this ? "NO ":"");
- UINT16 NoSubstreams:1 = FormatString("(%s) File or Directory has %ssubstreams (NO_SUBSTREAMS)", this.ToBitString, this ? "NO ":"");
- UINT16 NoReparseTag:1 = FormatString("(%s) File or Directory is %sa reparse point (NO_REPARSETAG)", this.ToBitString, this ? "NOT ":"");
- UINT16 Reserved:13 = FormatString(" (%s) Reserved", this.ToBitString);
- };
- }
- SMBOpenAction ActionTaken;
- UINT32 Reserved;
- UINT16 ExtendedAttributeErrorOffset;
- UINT32 ExtendedAttributeLength;
- };
- case SMBSubCommand == 0x01: //TRANS2_FIND_FIRST2
- struct FindFirst2ParameterBlock
- {
- UINT16 Sid;
- [SearchCount]
- UINT16 SearchCount;
- UINT16 EndOfSearch = this? "This response is the last and the find has reached the end of the search results." : "The search MAY be continued using the TRANS2_FIND_NEXT2 transaction.";
- UINT16 EaErrorOffset;
- UINT16 LastNameOffset;
- };
- case SMBSubCommand == 0x02: // TRANS2_FIND_NEXT2
- struct FindNext2ParameterBlock
- {
- UINT16 SearchCount;
- UINT16 EndOfSearch;
- UINT16 EaErrorOffset;
- UINT16 LastNameOffset;
- };
- case SMBSubCommand == 0x05: //TRANS2_QUERY_PATH_INFORMATION
- struct QueryPathInfoParameterBlock
- {
- UINT16 EaErrorOffset;
- };
- case SMBSubCommand == 0x06: // TRANS2_SET_PATH_INFORMATION
- struct SetPathInfoParameters
- {
- switch(TransInformationLevel)
- {
- case 4:
- UINT16 EaErrorOffset;
- default:
- UINT16 Reserved;
- }
- };
- case SMBSubCommand == 0x07: // TRANS2_QUERY_FILE_INFORMATION
- struct QueryFileInfoParameterBlock
- {
- [SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")]
- UINT16 EaErrorOffset;
- };
- case SMBSubCommand == 0x08: //TRANS2_SET_FILE_INFORMATION
- struct SetFileInfoParameterBlock
- {
- [SMBComPramSummary = FormatString(", FID = 0x%04X%s", SMBFileID, Property.SMBFileName ? " (" + Property.SMBFileName + ")" : "")]
- UINT16 EaErrorOffset;
- };
- case SMBSubCommand == 0x0B: //TRANS2_FIND_NOTIFY_FIRST
- struct FindNotifyFirstParameterBlock
- {
- UINT16 MonitorHandle;
- UINT16 ChangeCount;
- UINT16 EaErrorOffset;
- };
- case SMBSubCommand == 0x0C: //TRANS2_FIND_NOTIFY_NEXT
- struct FindNotifyNextParameterBlock
- {
- UINT16 ChangeCount;
- UINT16 EaErrorOffset;
- };
- case SMBSubCommand == 0x0D: //TRANS2_CREATE_DIRECTORY
- struct CreateDirectoryParameterBlock
- {
- UINT16 EaErrorOffset;
- };
- default:
- switch
- {
- case SMBSubCommand >= 0x00:
- _struct ErrorParameterBlock
- {
- ReportParserError(ParserErrorProtocolClassWindows, "SMB", FormatString("Unknown SMB Transaction2 Parameter Block, SubCommand = 0x%X", SMBSubCommand)) SMBSubCommandError;
- BLOB(ParameterCount > SMBBytesEndOffset-offset ? SMBBytesEndOffset-offset : ParameterCount) Parameters;
- };
- default:
- _struct WarningParameterBlock
- {
- ReportParserWarning("SMB", "May not parse correctly when Transaction2 request is missing") SMBParameterBlockWarning;
- BLOB(ParameterCount > SMBBytesEndOffset-offset ? SMBBytesEndOffset-offset : ParameterCount) Parameters;
- };
- }
- }
- }
- switch
- {
- case frameOffset < SMBBytesEndOffset &&
- frameOffset < frameLength &&
- CurrentProtocolOffset < DataOffset:
- BLOB(DataOffset-CurrentProtocolOffset > SMBBytesEndOffset-offset ? SMBBytesEndOffset-offset : DataOffset-CurrentProtocolOffset) Pad2;
- }
- [SMBT2DataEndOffset = frameOffset + DataCount]
- //
- // These are Transaction2 Response Data Block
- //
- switch
- {
- case frameOffset < SMBBytesEndOffset &&
- frameOffset < frameLength &&
- DataDisplacement == 0 &&
- DataCount > 0:
- _struct DataBlock
- {
- switch
- {
- case !(ConvID > 0):
- _struct ReportWarning
- {
- ReportParserWarning( "SMB", "May not parse correctly when conversation off") ParserWarning;
- BLOB(ParameterCount > SMBBytesEndOffset-offset ? SMBBytesEndOffset-offset : ParameterCount) Parameters;
- };
- case SMBSubCommand == 0x01: // FindFirst2
- case SMBSubCommand == 0x02: // FindNext2
- [SmbRTransact2NxtEntryOffset = FrameOffset]
- While Entries[FrameOffset + 12 < FrameLength && SmbRTransact2NxtEntryOffset == FrameOffset]
- {
- switch(TransInformationLevel)
- {
- case 0x0001: // SMB_INFO_STANDARD
- SMBFileStandardInfo(FindResumeKeyRequested, Property.SMBUnicode) StandardInfo;
- case 0x0002: // SMB_INFO_QUERY_EA_SIZE
- SMBFileEASizeInfo(FindResumeKeyRequested, Property.SMBUnicode) EASizeInfo;
- case 0x0003: // SMB_INFO_QUERY_EAS_FROM_LIST
- SMBFileEASFromList(FindResumeKeyRequested, Property.SMBUnicode) EASFromList;
- case 0x0101: // SMB_FIND_FILE_DIRECTORY_INFO
- SMBFileDirInfo(Property.SMBUnicode) DirInfo;
- case 0x0102: // SMB_FIND_FILE_FULL_DIRECTORY_INFO
- SMBFileFullDirInfo(Property.SMBUnicode) FullDirInfo;
- case 0x0103: // SMB_FIND_FILE_NAMES_INFO
- SMBFileNamesInfo(Property.SMBUnicode) NamesInfo;
- case 0x0104: // SMB_FIND_FILE_BOTH_DIRECTORY_INFO
- SmbFindFileBothDirectoryInfoPrevFile(Property.SMBUnicode) BothDirInfo;
- /*
- case 0x0105: // SMB_FIND_FILE_OLE_DIRECTORY_INFO
- SMBFileOLEDirInfo(Property.SMBUnicode) OLEDirInfo;
- */
- case 0x0105: // SMB_FIND_FILE_ID_FULL_DIRECTORY_INFO
- SmbFindFileIdFullDirectoryInfo(Property.SMBUnicode) IDFullDirInfo;
- case 0x0106: // SMB_FIND_FILE_ID_BOTH_DIRECTORY_INFO
- SmbFindFileIdBothDirectoryInfo(Property.SMBUnicode) IDBothDirInfo;
- default:
- _struct Transact2Find2Datas
- {
- SMBReportUnknownInfoLevel(TransInformationLevel) WarningErrorInfo;
- BLOB(FrameLength - FrameOffset) Data;
- };
- }// switch (TransInformationLevel)
- }// While
- case SMBSubCommand == 0x03: //TRANS2_QUERY_FS_INFORMATION
- case SMBSubCommand == 0x0F: //TRANS2_QUERY_FS_INFORMATION_FID
- SMBTrans2FSInfoDataBlock(TransInformationLevel) QueryFSInfoDataBlock;
- case SMBSubCommand == 0x05: //TRANS2_QUERY_PATH_INFORMATION
- case SMBSubCommand == 0x07: //TRANS2_QUERY_FILE_INFORMATION
- switch(TransInformationLevel)
- {
- case 0x0001: // SMB_INFO_STANDARD
- case 0x0002: // SMB_INFO_QUERY_EA_SIZE
- SMBTrans2FileStandard(TransInformationLevel) FileStandard;
- case 0x0003: // SMB_INFO_QUERY_EAS_FROM_LIST
- case 0x0004: // SMB_INFO_QUERY_ALL_EAS
- SMBFEAList FileEAs;
- case 0x0101: // SMB_QUERY_FILE_BASIC_INFO
- case 0x03EC: // FileBasicInformation
- SMBTrans2FileBasicInfo FileBasicInfo;
- case 0x0102: // SMB_QUERY_FILE_STANDARD_INFO
- case 0x03ED: // FileStandardInformation
- SMBTrans2FileStandardInfo FileStandardInfo;
- case 0x0103: // SMB_QUERY_FILE_EA_INFO
- case 0x03EF: // FileEaInformation
- SMBTrans2FileEAInfo FileEAInfo;
- case 0x0104: // SMB_QUERY_FILE_NAME_INFO
- case 0x03F1: // FileNameInformation
- case 0x0108: // SMB_QUERY_FILE_ALT_NAME_INFO
- case 0x03FD: // FileAlternateNameInformation
- case 0x0410: // FileShortNameInformation
- SMBTrans2FileNameInfo NameInfo;
- case 0x0107: // SMB_QUERY_FILE_ALL_INFO
- case 0x03FA: // FileAllInformation
- [property.LengthOfFileName1 = DataOffset % 2 > 0 ? UINT32(FrameData, FrameOffset + 69) : UINT32(FrameData, FrameOffset + 68),
- property.LengthOfFileName2 = DataOffset % 2 > 0 ? UINT32(FrameData, FrameOffset + 89) : UINT32(FrameData, FrameOffset + 88)]
- switch
- {
- //Windows NT Servers send 4 more bytes that are set to arbitrary values and are ignored on receipt
- case DataOffset % 2 > 0 && (property.LengthOfFileName1 + 73 == DataCount || property.LengthOfFileName1 + 73 + 4== DataCount ):
- case DataOffset % 2 == 0 && (property.LengthOfFileName1 + 72 == DataCount || property.LengthOfFileName1 + 72 + 4== DataCount ):
- SMBTrans2FileAllInfoPrivate FileAllInfoPrivate;
- case DataOffset % 2 > 0 && (property.LengthOfFileName2 + 93 == DataCount || property.LengthOfFileName1 + 93 + 4== DataCount ):
- case DataOffset % 2 == 0 && (property.LengthOfFileName2 + 92 == DataCount || property.LengthOfFileName1 + 92 + 4== DataCount ):
- SMBTrans2FileAllInfo FileAllInfo;
- }
- case 0x0109: // SMB_QUERY_FILE_STREAM_INFO
- case 0x03FE: // FileStreamInformation
- SMBTrans2FileStreamInfo FileStreamInfo;
- case 0x010B: // SMB_QUERY_FILE_COMPRESSION_INFO
- case 0x0404: // FileCompressionInformation
- SMBTrans2FileCompressionInfo FileCompressionInfo;
- case 0x0200: // SMB_QUERY_FILE_UNIX_BASIC
- SMBTrans2FileUnixBasicInfo FileUnixBasicInfo;
- case 0x0201: // SMB_QUERY_FILE_UNIX_LINK
- [Post.SMBComPramSummary = ", Link Destination = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) LinkDest;
- case 0x03E9: // FileDirectoryInformation
- [SmbRTransact2NxtEntryOffset = FrameOffset]
- While FileDirInfo[FrameOffset + 64 < FrameLength && SmbRTransact2NxtEntryOffset == FrameOffset]
- {
- SMBFileDirInfo(Property.SMBUnicode) DirInfo;
- };
- case 0x03EA: // FileFullDirectoryInformation
- [SmbRTransact2NxtEntryOffset = FrameOffset]
- While FileFullDirInfo[FrameOffset + 68 < FrameLength && SmbRTransact2NxtEntryOffset == FrameOffset]
- {
- SMBFileFullDirInfo(Property.SMBUnicode) FullDirInfo;
- };
- case 0x03EB: // FileBothDirectoryInformation
- [SmbRTransact2NxtEntryOffset = FrameOffset]
- While FileBothDirInfo[FrameOffset + 69 < FrameLength && SmbRTransact2NxtEntryOffset == FrameOffset]
- {
- SmbFindFileBothDirectoryInfoPrevFile(Property.SMBUnicode) BothDirInfo;
- };
- case 0x03EE: // FileInternalInformation
- _struct FileInternalInfor
- {
- UINT64 IndexNumber;
- };
- case 0x03F0: // FileAccessInformation
- _struct FileAccessInfo
- {
- SMBAccessMask AccessFlags;
- };
- case 0x03F2: // FileRenameInformation
- FSCCFileRenameInformationForSMB FileRenameInfo;
- case 0x03F3: // FileLinkInformation
- FSCCFileLinkInformationForSMB FileLinkInfo;
- case 0x03F4: // FileNamesInformation
- [SmbRTransact2NxtEntryOffset = FrameOffset]
- While FileNamesInfo[FrameOffset + 12 < FrameLength && SmbRTransact2NxtEntryOffset == FrameOffset]
- {
- SMBFileNamesInfo(Property.SMBUnicode) NamesInfo;
- };
- case 0x03F5: // FileDispositionInformation
- _struct FileDispositionInfo
- {
- BOOLEAN DeleteFile;
- };
- case 0x03F6: // FilePositionInformation
- _struct FilePositionInfo
- {
- UINT64 CurrentByteOffset;
- };
- case 0x03F7: // FileFullEaInformation
- [SmbRTransact2NxtEntryOffset = FrameOffset]
- While FileFullEaInfo[FrameOffset + 8 < FrameLength && SmbRTransact2NxtEntryOffset == FrameOffset]
- {
- SMBFileFullEAInfo(Property.SMBUnicode) FullEAInfo;
- };
- case 0x03F8: // FileModeInformation
- _struct FileModeInfo
- {
- UINT32 Mode
- {
- UINT32 Reserved1:1 = FormatString(" (%s) UnUsed",this.ToBitString);
- UINT32 WriteThrough:1 = FormatString(" (%s) %s",this.ToBitString,this ? "Data is written to file before the driver completes a write request" : "Data is NOT written to file before the driver completes a write request");
- UINT32 SequentialOnly:1 = FormatString("(%s) %s",this.ToBitString,this ? "All access to the file is sequential" : "NOT All access to the file is sequential");
- UINT32 Reserved2:1 = FormatString(" (%s) UnUsed",this.ToBitString);
- UINT32 SynIOAlert:1 = FormatString(" (%s) %s",this.ToBitString,this ? "All operations on the file are performed synchronously" : "NOT All operations on the file are performed synchronously");
- UINT32 SynIONonalert:1 = FormatString(" (%s) %s",this.ToBitString,this ? "All operations on the file are to be performed synchronously" :"NOT All operations on the file are to be performed synchronously");
- UINT32 Reserved3:26 = FormatString(" (%s) UnUsed",this.ToBitString);
- };
- };
- case 0x03F9: // FileAlignmentInformation
- _struct FileAlignmentInfo
- {
- UINT32 AlignmentRequirement = SMBAlignmentRequirementTable(this);
- };
- case 0x03FB: // FileAllocationInformation
- _struct FileAllocationInfo
- {
- SMBLargeInteger AllocationSize;
- };
- case 0x03FC: // FileEndOfFileInformation
- _struct FileEndOfFileInfo
- {
- SMBLargeInteger EndOfFile;
- };
- case 0x03FF: // FilePipeInformation
- SMBTrans2FilePipeInfo FilePipeInfo;
- case 0x0400: // FilePipeLocalInformation
- SMBTrans2FilePipeLocalInfo FilePipeLocalInfo;
- case 0x0401: // FilePipeRemoteInformation
- SMBTrans2FilePipeRemoteInfo FilePipeRemoteInfo;
- case 0x0402: // FileMailslotQueryInformation
- SMBTrans2FileMailslotQueryInfo FileMailslotQueryInfo;
- case 0x0403: // FileMailslotSetInformation
- _struct FileMailslotSetInfo
- {
- FILETIME ReadTimeout;
- };
- case 0x0405: // FileObjectIDInformation
- SMBTrans2FileObjectIDInfo FileObjectIDInfo;
- //case 0x0406: // FileCompletionInformation
- case 0x0408: // FileQuotaInformation
- [SmbRTransact2NxtEntryOffset = FrameOffset]
- While FileQuotaInfo[FrameOffset + 8 < FrameLength && SmbRTransact2NxtEntryOffset == FrameOffset]
- {
- SMBFileQuotaInfo QuotaInfo;
- };
- case 0x0409: // FileReparsePointInformation
- _struct FileReparsePointInfo
- {
- UINT64 FileReference;
- UINT32 Tag;
- };
- case 0x040A: // FileNetworkOpenInformation
- SMBTrans2FileNetworkOpenInfo FileNetworkOpenInfo;
- case 0x040B: // FileAttributeTagInformation
- _struct FileAttributeTagInfo
- {
- SMBNTFileAttributes Attributes;
- UINT32 ReparseTag;
- };
- case 0x040C: // FileTrackingInformation
- _struct FileTrackingInfo
- {
- UINT32 DestinationFile;
- UINT32 ObjectInformationLength;
- BLOB(ObjectInformationLength) ObjectInformation;
- };
- case 0x040D: // FileIdBothDirectoryInformation
- [SmbRTransact2NxtEntryOffset = FrameOffset]
- While FileIdBothDirInfo[FrameOffset + 69 < FrameLength && SmbRTransact2NxtEntryOffset == FrameOffset]
- {
- SmbFindFileIdBothDirectoryInfo(Property.SMBUnicode) IDBothDirInfo;
- };
- case 0x040E: // FileIdFullDirectoryInformation
- [SmbRTransact2NxtEntryOffset = FrameOffset]
- While FileIdFullDirInfo[FrameOffset + 76 < FrameLength && SmbRTransact2NxtEntryOffset == FrameOffset]
- {
- SmbFindFileIdFullDirectoryInfo(Property.SMBUnicode) IDFullDirInfo;
- };
- case 0x040F: // FileValidDataLengthInformation
- _struct FileValidDataLengthInfo
- {
- UINT64 ValidDataLength;
- };
- default:
- _struct Transact2Datas
- {
- SMBReportUnknownInfoLevel(TransInformationLevel) WarningErrorInfo;
- BLOB(FrameLength - FrameOffset) Data;
- };
- }
- case SMBSubCommand == 0x08://TRANS2_SET_FILE_INFORMATION: Set File Attributes Given FID
- switch(TransInformationLevel)
- {
- case 0x0001: // SMB_INFO_STANDARD
- case 0x0002: // SMB_INFO_QUERY_EA_SIZE
-
- SMBTrans2FileStandard(TransInformationLevel) FileStandardDataBlock;
- case 0x0101: // SMB_QUERY_FILE_BASIC_INFO
- case 0x03EC: // FileBasicInformation
- SMBTrans2FileBasicInfo FileBasicDataBlock;
- case 0x0102: // SMB_SET_FILE_DISPOSITION_INFO
- case 0x03F5: // FileDispositionInformation
- _struct FileDispositionInfoDataBlock
- {
- BOOLEAN DeleteFile;
- };
- case 0x0103: // SMB_SET_FILE_ALLOCATION_INFO
- case 0x03FB: // FileAllocationInformation
- _struct FileAllocationInfoDataBlock
- {
- SMBLargeInteger AllocationSize;
- };
- case 0x0104: // SMB_SET_FILE_END_OF_FILE_INFO
- case 0x03FC: // FileEndOfFileInformation
- _struct FileEndOfFileInfoDataBlock
- {
- SMBLargeInteger EndOfFile;
- };
- case 0x0200: // SMB_QUERY_FILE_UNIX_BASIC
- SMBTrans2FileUnixBasicInfo FileUnixBasicInfoDataBlock;
- case 0x0201: // SMB_QUERY_FILE_UNIX_LINK
- case 0x0203: // SMB_QUERY_FILE_UNIX_HLINK
- [Post.SMBComPramSummary = ", Link Destination = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) LinkDest;
- case 0x03F2: // FileRenameInformation
- FSCCFileRenameInformationForSMB FileRenameInfoDataBlock;
- case 0x03F3: // FileLinkInformation
- FSCCFileLinkInformationForSMB FileLinkInfoDataBlock;
- case 0x03F6: // FilePositionInformation
- _struct FilePositionInfoDataBlock
- {
- UINT64 CurrentByteOffset;
- };
- case 0x03F8: // FileModeInformation
- _struct FileModeInfoDataBlock
- {
- UINT32 Mode
- {
- UINT32 Reserved1:1 = FormatString(" (%s) UnUsed",this.ToBitString);
- UINT32 WriteThrough:1 = FormatString(" (%s) %s",this.ToBitString,this ? "Data is written to file before the driver completes a write request" : "Data is NOT written to file before the driver completes a write request");
- UINT32 SequentialOnly:1 = FormatString("(%s) %s",this.ToBitString,this ? "All access to the file is sequential" : "NOT All access to the file is sequential");
- UINT32 Reserved2:1 = FormatString(" (%s) UnUsed",this.ToBitString);
- UINT32 SynIOAlert:1 = FormatString(" (%s) %s",this.ToBitString,this ? "All operations on the file are performed synchronously" : "NOT All operations on the file are performed synchronously");
- UINT32 SynIONonalert:1 = FormatString(" (%s) %s",this.ToBitString,this ? "All operations on the file are to be performed synchronously" :"NOT All operations on the file are to be performed synchronously");
- UINT32 Reserved3:26 = FormatString(" (%s) UnUsed",this.ToBitString);
- };
- };
- case 0x03FF: // FilePipeInformation
- SMBTrans2FilePipeInfo FilePipeInfoDataBlock;
- case 0x0401: // FilePipeRemoteInformation
- SMBTrans2FilePipeRemoteInfo FilePipeRemoteInfoDataBlock;
- case 0x0405: // FileObjectIDInformation
- SMBTrans2FileObjectIDInfo FileObjectIDInfoDataBlock;
- case 0x0408: // FileQuotaInformation
- [SmbRTransact2NxtEntryOffset = FrameOffset]
- While FileQuotaInfo[FrameOffset + 8 < FrameLength && SmbRTransact2NxtEntryOffset == FrameOffset]
- {
- SMBFileQuotaInfo QuotaInfo;
- };
- case 0x040F: // FileValidDataLengthInformation
- _struct FileValidDataLengthInfoDataBlock
- {
- UINT64 ValidDataLength;
- };
- case 0x0410: // FileNameInformation
- SMBTrans2FileNameInfo NameInfoDataBlock;
- //case 0x0105: //SMB_SET_FILE_OLE_CLASSID_INFO
- //case 0x0106: //SMB_SET_FILE_OLE_STATE_BITS_INFO
- //case 0x0107: //SMB_SET_FILE_OBJECTID_INFO
- //case 0x0108: //SMB_SET_FILE_CONTENT_INDEX_INFO
- //case 0x0109: //SMB_SET_FILE_INHERIT_CONTENT_INDEX_INFO
- //case 0x010A: //SMB_SET_FILE_OLE_INFO
- default:
- _struct ErrorDataBlock
- {
- SMBReportUnknownInfoLevel(TransInformationLevel) WarningErrorInfo;
- BLOB(FrameLength - FrameOffset) Data;
- };
- }
- case SMBSubCommand == 0x0E: //#? TRANS2_SESSION_SETUP
- struct SessionSetupDataBlock
- {
- UINT8 WordCount;
- UINT8 Pad;
- UINT16 UserID;
- UINT32 SecurityBlobLength;
- SMBSecurityBlob(SecurityBlobLength) SecurityBlob;
- }
- case SMBSubCommand == 0x10: //TRANS2_GET_DFS_REFERRAL
- [DataFieldFrameLength = SMBBytesEndOffset]
- DFSC Dfsc;
- default:
- switch
- {
- case SMBSubCommand >= 0x00:
- _struct ErrorDataBlock
- {
- ReportParserError(ParserErrorProtocolClassWindows, "SMB", FormatString("Unknown SMB Transaction2 Data Block, SubCommand = 0x%X", SMBSubCommand)) SMBSubCommandError;
- BLOB(FrameLength - FrameOffset) Data;
- };
- default:
- _struct WarningDataBlock
- {
- ReportParserWarning("SMB", "May not parse correctly when Transaction2 request is missing") SMBDataBlockWarning;
- BLOB(FrameLength - FrameOffset) Data;
- };
- }
- }//End of switch(SMBSubCommand)
- switch
- {
- case FrameOffset < FrameLength:
- BLOB(FrameLength - FrameOffset) OtherData;
- }
- }//End of struct SMBTrans2DataBlock
-
- case DataDisplacement > 0 && DataCount > 0:
- //
- // These are Fragmented Ttrans2 Response Data
- //
- [
- SMBContinuation = TRUE,
- SMBComPramSummary = SMBComPramSummary + " - Continued Response",
- PayloadStart(
- NetworkDirection, /* direction */
- 0, /* id */
- DataDisplacement, /* sequence token */
- DataDisplacement + DataCount, /* next sequence token */
- 0, /* total payload length */
- 0, /* is first */
- TotalParameterCount == ParamDisplacement + ParameterCount && TotalDataCount == DataDisplacement + DataCount, /* is last */
- RssmblyIndStartBit+RssmblyIndEndBit+RssmblySequenceBit+RssmblySelfBit, //has start and end indication
- 0x0000, /* Properties... */
- SMBResponse,
- 0x0000, /* Properties... */
- ""
- )
- ]
- BLOB(DataCount > FrameLength - FrameOffset ? FrameLength - FrameOffset : DataCount) Data;
- }
- switch
- {
- case frameOffset < frameLength &&
- frameOffset < SMBBytesEndOffset:
- BLOB(SMBBytesEndOffset - frameOffset > frameLength - frameOffset ? frameLength - frameOffset : SMBBytesEndOffset - frameOffset) Pad;
- }
- }
-
- Struct SMBReportUnknownInfoLevel(InfoLevel)
- {
- Switch
- {
- case IsValueNone(InfoLevel):
- ReportParserWarning("SMB", "May not parse correct, the InformationLevel is missing.") SMBInformationLevelWarning;
- default:
- ReportParserError(ParserErrorProtocolClassWindows, "SMB", FormatString("Unknown SMB Transaction2 Data Block, Information Level = 0x%X", InfoLevel)) SMBInformationLevelError;
- }
- }
-
- struct SMBTrans2FSInfoDataBlock(TransInformationLevel) = SMBTrans2QueryFSInfoLevelTable(TransInformationLevel)
- {
- switch(TransInformationLevel)
- {
- case 0x0001: //SMB_INFO_ALLOCATION
- _struct Standard
- {
- UINT32 FileSystemID;
- UINT32 cSectorUnit;
- UINT32 cUnit;
- UINT32 cUnitAvailable ;
- UINT16 cbSector;
- };
- case 0x0002: // SMB_INFO_VOLUME
- _struct VolumeInfo
- {
- UINT32 ulVolSerialNbr;
- UINT8 cCharCount;
- [Post.SMBComPramSummary = ", Volume = " + SMBFileNameValue]
- struct VolumeLabel = SMBFileNameValue
- {
- switch( SMBUnicode )
- {
- case 0:
- [SMBFileNameValue]
- AsciiString( cCharCount ) AsciiVolumeLabel;
- case 1:
- [SMBFileNameValue]
- UnicodeString( cCharCount ) UnicodeVolumeLabel;
- }
- }
- switch
- {
- case !SMBUnicode:
- BLOB( FrameLength - FrameOffset ) ExtraNullPad;
- }
- };
- case 0x0101: // SMB_QUERY_FS_LABEL_INFO
- case 0x03EA: // FileFsLabelInformation
- _struct FSLabelInformation
- {
- UINT32 VolumeLabelLength;
- [Post.SMBComPramSummary = ", FSLabel = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, FALSE, 0, ProtocolOffset) FSLabel;
- };
- case 0x0102: // SMB_QUERY_FS_VOLUME_INFO
- case 0x03E9: // FileFsVolumeInformation
- _struct FsVolumeInformation
- {
- FILETIME CreationTime;
- UINT32 VolumeSerialNumber;
- UINT32 VolumeLabelLength;
- BOOLEAN SupportsObjects;
- [Post.SMBComPramSummary = SMBFileNameValue ? ", Label = " + SMBFileNameValue :""]
- SMBFileNameString(SMBUnicode, TRUE, VolumeLabelLength, ProtocolOffset) VolumeLabel;
- }
- case 0x0103: // SMB_QUERY_FS_SIZE_INFO
- case 0x03EB: // FileFsSizeInformation
- _struct FsSizeInformation
- {
- UINT64 TotalAllocationUnits;
- UINT64 AvailableAllocationUnits;
- UINT32 SectorsPerAllocationUnit;
- UINT32 BytesPerSector;
- }
- case 0x0104: // SMB_QUERY_FS_DEVICE_INFO
- case 0x03EC: // FileFsDeviceInformation
- _struct FsDeviceInformation
- {
- UINT32 DeviceType = SMBDeviceTypeTable(this);
- // # ? this field will be enriched in future.
- [DataFieldByteOrder = LittleEndian]
- UINT32 DeviceCharacteristics
- {
- UINT32 Removable:1 = FormatString(" (%s) %s (FILE_REMOVABLE_MEDIA)", this.ToBitString, this ? "Removable Media" : "NOT Removable Media");
- UINT32 ReadOnly:1 = FormatString(" (%s) %s (FILE_READ_ONLY_DEVICE)", this.ToBitString, this ? "Read Only Device" : "NOT Read Only Device");
- UINT32 Floppy:1 = FormatString(" (%s) %s (FILE_FLOPPY_DISKETTE)", this.ToBitString, this ? "Floppy Diskette" : "NOT Floppy Diskette");
- UINT32 WriteOne:1 = FormatString(" (%s) %s (FILE_WRITE_ONE_MEDIA)", this.ToBitString, this ? "Write One Media" : "NOT Write One Media");
- UINT32 Remote:1 = FormatString(" (%s) %s (FILE_REMOTE_DEVICE)", this.ToBitString, this ? "Remote Device" : "NOT Remote Device");
- UINT32 IsMounted:1 = FormatString(" (%s) %s (FILE_DEVICE_IS_MOUNTED)", this.ToBitString, this ? "Device Is Mounted" : "Device Is NOT Mounted");
- UINT32 VirtualVolume:1 = FormatString(" (%s) %s (FILE_VIRTUAL_VOLUME)", this.ToBitString, this ? "Virtual Volume" : "NOT Virtual Volume");
- UINT32 DeviceSecureOpen:1 = FormatString(" (%s) %s (FILE_DEVICE_SECURE_OPEN)", this.ToBitString, this ? "Volume ACL Is Checked" : "Volume ACL Is Not Checked" );
- UINT32 CharacteristicsTsDevice:1 = FormatString(" (%s) %s (FILE_CHARACTERISTIC_TS_DEVICE)", this.ToBitString , this ? "Device object is part of a Terminal Services device stack" : "Device object is part of a Terminal Services device stack");
- UINT32 CharacteristicsWebDavDevice:1 = FormatString("(%s) %s (FILE_CHARACTERISTIC_WEBDAV_DEVICE)", this.ToBitString , this ? "Web-based Distributed Authoring and Versioning (WebDAV) file system is mounted on the device" : "Web-based Distributed Authoring and Versioning (WebDAV) file system is not mounted on the device");
- UINT32 Reserved:22 = FormatString(" (%s) Reserved", this.ToBitString);
- };
- };
- case 0x0105: // SMB_QUERY_FS_ATTRIBUTE_INFO
- case 0x03ED: // FileFsAttributeInformation
- _struct FsAttributeInformation
- {
- UINT32 FileSystemAttributes
- {
- UINT32 CaseSensitiveSearch:1 = FormatString(" (%s) %s (FILE_CASE_SENSITIVE_SEARCH)", this.ToBitString, this ? "Case Sensitive Search" : "NOT Case Sensitive Search");
- UINT32 CasePreservedNames:1 = FormatString(" (%s) %s (FILE_CASE_PRESERVED_NAMES)", this.ToBitString, this ? "Use Case Preserved Names" : "Do NOT Use Case Preserved Names");
- UINT32 UnicodeonDisk:1 = FormatString(" (%s) %s (FILE_UNICODE_ON_DISK)",this.toBitString,this?"File supports unicode name":"File does not support unicode name");
- UINT32 PersistentAcls:1 = FormatString(" (%s) %s (FILE_PERSISTENT_ACLS)", this.ToBitString, this ? "Has Persistent ACLs" : "Does NOT Have Persistent ACLs");
- UINT32 FileCompression:1 = FormatString(" (%s) %s (FILE_FILE_COMPRESSION)", this.ToBitString, this ? "File is Compressed" : "File is NOT Compressed");
- UINT32 VolumeQuotas:1 = FormatString(" (%s) %s (FILE_VOLUME_QUOTAS)", this.ToBitString, this ? "Volume Quotas" : "NO Volume Quotas");
- UINT32 SupportSparseFile:1 = FormatString(" (%s) %s (FILE_SUPPORTS_SPARSE_FILES)",this.toBitString,this?"File supports sparse files":"File does not support sparse file");
- UINT32 SupportReparsePoint:1 = FormatString(" (%s) %s (FILE_SUPPORTS_REPARSE_POINTS)",this.toBitString,this?"File supports Reparse points":"File does not support reparse points");
- UINT32 SupportRemoteStorage:1 = FormatString(" (%s) %s (FILE_SUPPORTS_REMOTE_STORAGE)",this.toBitString,this?"File supports remote storage":"File does not support remote storage");
-
- UINT32 Reserved:6 = FormatString(" (%s) Reserved (Reserved)",this.toBitString);
- UINT32 VolumeCompressed:1 = FormatString(" (%s) %s (FILE_VOLUME_IS_COMPRESSED)",this.toBitString,this?"Volume is Compressed":"Volume is not compressed");
-
- UINT32 SupportObject:1 = FormatString(" (%s) %s (FILE_SUPPORTS_OBJECT_IDS)",this.toBitString,this?"File support object":"File does not support object");
- UINT32 SupportEncryption:1 = FormatString(" (%s) %s (FILE_SUPPORTS_ENCRYPTION)",this.toBitString,this?"File supports encryption":"File does not support encryption");
- UINT32 NamedStream:1 = FormatString(" (%s) %s (FILE_NAMED_STREAMS)",this.toBitString,this?"File supports multiple named data streams for a file":"File does not support multiple named data streams for a file");
- UINT32 ReadOnlyVolume:1 = FormatString(" (%s) %s (FILE_READ_ONLY_VOLUME)",this.toBitString,this?"Specified volume is read only":"Specified volume can be write");
- UINT32 SequentialWriteOnce:1 = FormatString(" (%s) %s (FILE_SEQUENTIAL_WRITE_ONCE)",this.toBitString,this?"Specified volume can be written to one time":"Specified volume can be written not only to one time");
- UINT32 SupportTransactions:1 = FormatString(" (%s) %s (FILE_SUPPORTS_TRANSACTIONS)",this.toBitString,this?"File system supports transaction processing":"File system dose not support transaction processing");
- UINT32 SupportHardLinks:1 = FormatString(" (%s) %s (FILE_SUPPORTS_HARD_LINKS)",this.toBitString,this?"File system supports direct links to other devices and partitions":"File system does not support direct links to other devices and partitions");
- UINT32 SupportsExtendedAttributes:1 = FormatString("(%s) %s (FILE_SUPPORTS_EXTENDED_ATTRIBUTES)",this.toBitString,this?"File system stores extended attribute information per file":"File system doesnot stores extended attribute information per file");
- UINT32 Reserved_bits24_31:8 = FormatString(" (%s) Reserved", this.ToBitString);
- }
- UINT32 MaximumComponentNameLength;
- UINT32 FileSystemNameLength;
- [Post.SMBComPramSummary = ", FS = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, TRUE, FileSystemNameLength, ProtocolOffset) FSName;
- }
- case 0x200: // SMB_UNIX_QUERY_FS_INFO
- _struct UnixQueryFSInfomation
- {
- UINT16 MajorVersionNumber;
- UINT16 MinorVersionNumber;
- // #? this capability is 8 bytes.
- UINT64 Capability;
- };
- case 0x301: // SMB_Mac_Query_FS_Info
- _struct SMBMacQueryFSInfomation
- {
- FILETIME CreationTime;
- FILETIME ModifyTime;
- FILETIME BackupTime;
- UINT32 AllocationBlocks;
- UINT32 AllocationBlockSize;
- UINT32 FreeBlockCount;
- Blob(32) FinderInfo = FormatString("%X", this);
- UINT32 RootFilesNumber;
- UINT32 RootDirectoriesNumber;
- UINT32 FilesNumber;
- UINT32 DirectoriesNumber;
- // #? this flags will be enriched in future.
- UINT32 SupportFlags;
- };
- case 0x03EE: // FileFsControlInformation
- _struct SMBFSControlInfomation
- {
- UINT64 FreeSpaceStartFiltering;
- UINT64 FreeSpaceThreshold;
- UINT64 FreeSpaceStopFiltering;
- UINT64 DefaultQuotaThreshold;
- UINT64 DefaultQuotaLimit;
- UINT32 FileSystemControlFlags;
- };
- case 0x03EF: // FileFsFullSizeInformation
- _struct FsFullSizeInformation
- {
- UINT64 TotalAllocationUnits;
- UINT64 CallerAvailableAllocationUnits;
- UINT64 ActualAvailableAllocationUnits;
- UINT32 SectorsPerAllocationUnit;
- UINT32 BytesPerSector;
- }
- case 0x03F0: // FileFsObjectIdInformation
- _struct FsObjectIDInformation
- {
- GUID(FALSE) QueryObjectID;
- // this did NOT desc in the doc
- UINT8 ExtendedInfo[48];
- }
- case 0x03F1: // FileFsDriverPathInformation
- _struct FsDriverPathInformation
- {
- BOOLEAN DriverInPath;
- UINT32 DriverNameLength;
- ALIGN2 Align;
- UnicodeString(DriverNameLength/2) DriverName;
- }
- case 0x03F2: // FileFsVolumeFlagsInformation
- _struct FsVolumeFlagsInformation
- {
- UINT32 Flags;
- }
- default:
- _struct Transact2UnknownDatas
- {
- SMBReportUnknownInfoLevel(TransInformationLevel) WarningErrorInfo;
- BLOB(FrameLength - FrameOffset) Data;
- };
- }
- }
-
- struct SMBTrans2FileStandard(InfoLevel)
- {
- SMBDATE CreationDate;
- SMBTIME CreationTime;
- SMBDATE LastAccessDate;
- SMBTIME LastAccessTime;
- SMBDATE LastWriteDate;
- SMBTIME LastWriteTime;
- UINT32 DataSize;
- UINT32 AllocationSize;
- SMBFileAttributes Attributes;
- switch(InfoLevel)
- {
- case 0x0002:
- UINT32 EaSize;
- };
- }
-
- struct SMBTrans2FileBasicInfo
- {
- FILETIME CreationTime;
- FILETIME AccessTime;
- FILETIME LastWriteTime;
- FILETIME LastChangeTime;
- SMBNTFileAttributes Attributes;
- };
-
- struct SMBTrans2FileStandardInfo
- {
- SMBLargeInteger AllocationSize;
- SMBLargeInteger EndOfFile;
- UINT32 NumberOfLinks;
- BOOLEAN DeletePending;
- BOOLEAN IsDirectory;
- };
-
- struct SMBTrans2FileEAInfo
- {
- UINT32 EaLength;
- }
-
- struct SMBTrans2FileNameInfo
- {
- [StructBaseOffset = FrameOffset]
- UINT32 FileNameLength;
- [Post.SMBComPramSummary = ", FileName = " + SMBFileNameValue]
- SMBFileNameString(SMBUnicode, TRUE, FileNameLength, StructBaseOffset) FileName;
- }
-
- //TRANS2_QUERY_FILE_INFORMATION Response
- struct SMBTrans2FileAllInfoPrivate
- {
- //BasicInformation
- FILETIME CreationTime;
- FILETIME LastAccessTime;
- FILETIME LastWriteTime;
- FILETIME ChangeTime;
- SMBNTFileAttributes Attributes;
- //StandardInformation
- UINT32 Reserved1;
- SMBLargeInteger AllocationSize;
- SMBLargeInteger EndOfFile;
- UINT32 NumberOfLinks;
- BOOLEAN DeletePending;
- BOOLEAN Directory;
- UINT16 Reserved2;
- UINT32 EASize;
- UINT32 FileNameLength;
- [Post.SMBComPramSummary = ", FileName = " + SMBFileNameValue]
- SMBFileNameString(1, TRUE, FileNameLength, ProtocolOffset) FileName;
- }
-
- struct SMBTrans2FileAllInfo
- {
- //BasicInformation
- FILETIME CreationTime;
- FILETIME AccessTime;
- FILETIME LastWriteTime;
- FILETIME LastChangeTime;
- SMBNTFileAttributes Attributes;
- //StandardInformation
- SMBLargeInteger AllocationSize;
- SMBLargeInteger EndOfFile;
- UINT32 NumberOfLinks;
- BOOLEAN DeletePending;
- BOOLEAN IsDirectory;
- //InternalInformation
- UINT64 IndexNumber;
- //EaInformation
- UINT32 EaLength;
- //AccessInformation
- SMBAccessMask AccessFlags;
- //PositionInformation
- UINT64 CurrentByteOffset;
- //ModeInformation
- UINT32 Mode
- {
- UINT32 Reserved1:1 = FormatString(" (%s) UnUsed",this.ToBitString);
- UINT32 WriteThrough:1 = FormatString(" (%s) %s",this.ToBitString,this ? "Data is written to file before the driver completes a write request" : "Data is NOT written to file before the driver completes a write request");
- UINT32 SequentialOnly:1 = FormatString("(%s) %s",this.ToBitString,this ? "All access to the file is sequential" : "NOT All access to the file is sequential");
- UINT32 Reserved2:1 = FormatString(" (%s) UnUsed",this.ToBitString);
- UINT32 SynIOAlert:1 = FormatString(" (%s) %s",this.ToBitString,this ? "All operations on the file are performed synchronously" : "NOT All operations on the file are performed synchronously");
- UINT32 SynIONonalert:1 = FormatString(" (%s) %s",this.ToBitString,this ? "All operations on the file are to be performed synchronously" :"NOT All operations on the file are to be performed synchronously");
- UINT32 Reserved3:26= FormatString(" (%s) UnUsed",this.ToBitString);
- };
- //AlignmentInformation
- UINT32 AlignmentRequirement;
- //NameInformation
- UINT32 FileNameLength;
- [Post.SMBComPramSummary = ", FileName = " + SMBFileNameValue]
- SMBFileNameString(1 , TRUE, FileNameLength, ProtocolOffset) FileName;
- }
-
- struct SMBTrans2FileStreamInfo
- {
- [StreamNextEntryOffset = frameOffset]
- while StreamEntries[StreamNextEntryOffset == frameOffset]
- {
- [
- StructBaseOffset = FrameOffset,
- StreamNextEntryOffset = frameOffset + NextEntryOffset
- ]
- UINT32 NextEntryOffset;
- UINT32 StreamNameLength;
- UINT64 StreamSize;
- SMBLargeInteger AllocationSize;
- SMBFileNameString(1, TRUE, StreamNameLength, StructBaseOffset) StreamName;
- switch
- {
- case FrameOffset < StreamNextEntryOffset:
- BLOB(StreamNextEntryOffset - FrameOffset) Padding;
- }
- }
- }
-
- struct SMBTrans2FileCompressionInfo
- {
- UINT64 CompressedFileSize;
- UINT16 CompressionFormat = SMBFileCompressionFormatTable(this);
- UINT8 CompressionUnitShift;
- UINT8 CompressionChunkShift;
- UINT8 CompressionClusterShift;
- UINT24 Reserved;
- }
-
- struct SMBTrans2FileUnixBasicInfo
- {
- SMBLargeInteger EndOfFile;
- UINT64 BytesNumber;
- FILETIME LastStatusChange;
- FILETIME LastAccessTime;
- FILETIME LastModificationTime;
- UINT64 FileOwnerUID;
- UINT64 FileGroupGID;
- UINT32 FileType = SMBUnixFileType(this);
- UINT64 MajorDeviceNumber;
- UINT64 MinorDeviceNumber;
- UINT64 UniqueID;
- UINT64 Permissions;
- UINT64 Nlinks;
- }
-
- struct SMBTrans2FilePipeInfo
- {
- UINT32 ReadMode;
- UINT32 CompletionMode;
- }
-
- struct SMBTrans2FilePipeLocalInfo
- {
- UINT32 NamedPipeType;
- UINT32 NamedPipeConfiguration;
- UINT32 MaximumInstances;
- UINT32 CurrentInstances;
- UINT32 InboundQuota;
- UINT32 ReadDataAvailable;
- UINT32 OutboundQuota;
- UINT32 WriteQuotaAvailable;
- UINT32 NamedPipeState;
- UINT32 NamedPipeEnd;
- }
-
- struct SMBTrans2FilePipeRemoteInfo
- {
- FILETIME CollectDataTime;
- UINT32 MaximumCollectionCount;
- }
-
- struct SMBTrans2FileMailslotQueryInfo
- {
- UINT32 MaximumMessageSize;
- UINT32 MailslotQuota;
- UINT32 NextMessageSize;
- UINT32 MessagesAvailable;
- FILETIME ReadTimeout;
- }
-
- struct SMBTrans2FileObjectIDInfo
- {
- UINT64 FileReference;
- GUID(FALSE) ObjectID;
- GUID(FALSE) BirthVolumeId;
- GUID(FALSE) BirthObjectId;
- GUID(FALSE) DomainId;
- }
-
- struct SMBTrans2FileNetworkOpenInfo
- {
- FILETIME CreationTime;
- FILETIME AccessTime;
- FILETIME LastWriteTime;
- FILETIME LastChangeTime;
- SMBLargeInteger AllocationSize;
- SMBLargeInteger EndOfFile;
- SMBNTFileAttributes Attributes;
- UINT32 Unknown;
- }
-
- Table SMBComSubCommandTable(command, subCommand)
- {
- switch(command)
- {
- case 0x32: SMBTrans2SubCommandTable(subCommand);
- case 0xA0: SMBNTTransactFunctionTable(subCommand);
- default: "";
- }
- }
-
- [Property.NLMPCurrentProtocol = "smb"]
- struct SMBSecurityBlob(Length) = FormatString("%s %s %s", Property.KrbSname, Property.KrbReam, Property.KrbErrorCode)
- {
- switch
- {
- case Length > 0:
- [DataFieldFrameLength = FrameOffset + Length]
- struct
- {
- [SMBSummary = SMBSummary + " Authentication Method: GSSAPI"]
- GSSAPI GSSAPI;
- switch
- {
- case FrameLength > FrameOffset:
- BLOB(FrameLength - FrameOffset) UnknownSecurityBlobData;
- }
- }
- }
- }
-
- struct SMBLargeInteger = FormatString("%d",LargeInteger)
- {
- INT64 LargeInteger;
- }
-
- // [MS-CIFS] 2.2.6.2.1 Request (TRANS2_FIND_FIRST2)
- Table SMBSearchStorageTypeTable(type)
- {
- switch(type)
- {
- case 0x01 : FormatString("%d (%#x) FILE_DIRECTORY_FILE: Search only for directories.", type, type);
- case 0x40 : FormatString("%d (%#x) FILE_NON_DIRECTORY_FILE: Search only for files.", type, type);
- default : FormatString("%d (%#x)", type, type);
- }
- }
-
- // [MS-CIFS] 2.2.1.2.2.1 SMB_FEA_LIST
- struct SMBFEAList = FormatString("%d SMB_FEA elements in %d bytes", Property.SmbFeaListCount, SizeOfListInBytes)
- {
- UINT32 SizeOfListInBytes;
- [Local.SMBEADataStartOffSet = FrameOffSet, Property.SmbFeaListCount = 0]
- while[FrameOffSet < (Local.SMBEADataStartOffSet + SizeOfListInBytes - 4)]
- {
- [Property.SmbFeaListCount = Property.SmbFeaListCount + 1]
- SMBFEA FEA;
- }
- };
-
- // [MS-CIFS] 2.2.1.2.1 SMB_GEA
- struct SMBGEA = AttributeName
- {
- UINT8 AttributeNameLengthInBytes;
- AsciiString(AttributeNameLengthInBytes + 1) AttributeName;
- }
-
- // [MS-CIFS] 2.2.1.2.1.1 SMB_GEA_LIST
- struct SMBGEAList = FormatString("%d SMB_GEA elements in %d bytes", Property.SmbGeaListCount, SizeOfListInBytes)
- {
- UINT32 SizeOfListInBytes;
- [Local.SMBEADataStartOffSet = FrameOffSet, Property.SmbGeaListCount = 0]
- while[FrameOffSet < (Local.SMBEADataStartOffSet + SizeOfListInBytes - 4)]
- {
- [Property.SmbGeaListCount = Property.SmbGeaListCount + 1]
- SMBGEA GEA;
- }
- };