internal AbstractSmbCommand(CifsPacket parentCifsPacket, string packetTypeDescription)
: base(parentCifsPacket.ParentFrame, parentCifsPacket.ParametersStartIndex, parentCifsPacket.ParentFrame.Data.Length - 1, packetTypeDescription)
{
this.parentCifsPacket = parentCifsPacket;
this.securityBlobIndex = null;
this.securityBlobLength = 0;
}
public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference)
{
if (includeSelfReference)
{
yield return(this);
}
if (this.messageType == 0x00 && PacketStartIndex + 4 < PacketEndIndex)
{
AbstractPacket packet;
try {
packet = new CifsPacket(ParentFrame, PacketStartIndex + 4, PacketEndIndex);
}
catch {
packet = new RawPacket(ParentFrame, PacketStartIndex + 4, PacketEndIndex);
}
yield return(packet);
foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
{
yield return(subPacket);
}
}
}
internal ReadAndXResponse(CifsPacket parentCifsPacket)
: base(parentCifsPacket, "CIFS Read AndX Response")
{
//SE TILL ATT ram_load.sh kan extraheras (smb.fid == 0x21a0)
this.dataLenght = Utils.ByteConverter.ToUInt16(ParentFrame.Data, parentCifsPacket.parametersStartIndex + 10, true);
this.dataOffset = Utils.ByteConverter.ToUInt16(ParentFrame.Data, parentCifsPacket.parametersStartIndex + 12, true);
}
internal CloseRequest(CifsPacket parentCifsPacket)
: base(parentCifsPacket, "Close Request")
{
this.fileId = Utils.ByteConverter.ToUInt16(ParentFrame.Data, parentCifsPacket.parametersStartIndex, true);
if (!this.ParentFrame.QuickParse)
{
base.Attributes.Add("File ID", "0x" + fileId.ToString("X2"));
}
}
internal NTCreateAndXResponse(CifsPacket parentCifsPacket)
: base(parentCifsPacket, "NT Create AndX Response")
{
this.fileId = Utils.ByteConverter.ToUInt16(ParentFrame.Data, parentCifsPacket.parametersStartIndex + 5, true);
if (!this.ParentFrame.QuickParse)
{
base.Attributes.Add("File ID", "0x" + fileId.ToString("X2"));
}
this.endOfFile = Utils.ByteConverter.ToUInt64(ParentFrame.Data, parentCifsPacket.parametersStartIndex + 55, true);
}
internal NegotiateProtocolRequest(CifsPacket parentCifsPacket)
: base(parentCifsPacket, "CIFS Negotiate Protocol Request")
{
this.dialectList = new List <string>();
ushort byteCount = Utils.ByteConverter.ToUInt16(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex, true);
int packetIndex = parentCifsPacket.ParametersStartIndex + 2;//It now points to the first BufferFormat in Dialects[]
int dialectsStartIndex = packetIndex;
packetIndex++;//I've now skipped pased the first 0x02 (buffer format)
while (packetIndex - dialectsStartIndex < byteCount && packetIndex < parentCifsPacket.ParentFrame.Data.Length)
{
string dialectName = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex);
this.dialectList.Add(dialectName);
packetIndex++;//skip the next 0x02 buffer format
}
}
//internal string FileId { get { return this.fileId; } }
internal NTCreateAndXRequest(CifsPacket parentCifsPacket)
: base(parentCifsPacket, "CIFS NT Create AndX Request")
{
if (parentCifsPacket.WordCount == 24)
{
//int nameLength=ParentFrame.Data[PacketStartIndex+37];
int nameLength = ParentFrame.Data[parentCifsPacket.ParametersStartIndex + 5];
int fileNameIndex = parentCifsPacket.BufferStartIndex;
this.filename = parentCifsPacket.DecodeBufferString();
//NetBiosPacket.DecodeNetBiosName(ParentFrame, ref fileNameIndex);
if (!this.ParentFrame.QuickParse)
{
this.Attributes.Add("Filename", this.filename);
}
}
else
{
throw new Exception("Word Cound is not 24 (" + parentCifsPacket.WordCount.ToString() + ")");
}
}
internal SetupAndXResponse(CifsPacket parentCifsPacket)
: base(parentCifsPacket, "CIFS Setup AndX Response")
{
this.nativeOs = null;
this.nativeLanManager = null;
this.primaryDomain = null;
//OK, a big problem here is that I don't at this level know which protocol has been negotiated for the SMB session...
//A good way to solve that problem is to look at the WordCount (number of parameters)
if (parentCifsPacket.WordCount == 3)//If wordCount is 3 then the dialect is prior to "NT LM 0.12"
{
int packetIndex = parentCifsPacket.parametersStartIndex + 9;
this.nativeOs = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
this.nativeLanManager = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
this.primaryDomain = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
}
else if (parentCifsPacket.WordCount == 4)//If wordCount is 4 then the dialect is "NT LM 0.12" or later
{
base.SecurityBlobLength = Utils.ByteConverter.ToUInt16(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex + 6, true);
int packetIndex = parentCifsPacket.parametersStartIndex + 10 + base.SecurityBlobLength;
if (parentCifsPacket.Flags2UnicodeStrings && ((packetIndex - parentCifsPacket.PacketStartIndex) % 2 == 1))
{
packetIndex++;//must start on a word boundrary (2 bytes)
}
this.nativeOs = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
this.nativeLanManager = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
this.primaryDomain = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
}
if (base.SecurityBlobLength > 0)
{
base.SecurityBlobIndex = parentCifsPacket.parametersStartIndex + 2 + parentCifsPacket.WordCount * 2;
}
}
internal NegotiateProtocolResponse(CifsPacket parentCifsPacket)
: base(parentCifsPacket, "CIFS Negotiate Protocol Response")
{
this.dialectIndex = Utils.ByteConverter.ToUInt16(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex, true);
}
internal SetupAndXRequest(CifsPacket parentCifsPacket)
: base(parentCifsPacket, "CIFS Setup AndX Request")
{
this.nativeOs = null;
this.nativeLanManager = null;
this.accountName = null;
this.primaryDomain = null;
this.accountPassword = null;
//OK, a big problem here is that I don't at this level know which protocol has been negotiated for the SMB session...
//A good way to solve that problem is to look at the WordCount (number of parameters)
if (parentCifsPacket.WordCount == 10)//If wordCount is 10 then the dialect is prior to "NT LM 0.12"
{
ushort passwordLength = Utils.ByteConverter.ToUInt16(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex + 14, true);
int packetIndex = parentCifsPacket.parametersStartIndex + 22;
this.accountPassword = Utils.ByteConverter.ReadString(parentCifsPacket.ParentFrame.Data, ref packetIndex, passwordLength, false, true);
this.accountName = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
//I currently don't care about the primary domain...
this.primaryDomain = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
this.nativeOs = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
this.nativeLanManager = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
}
else if (parentCifsPacket.WordCount == 12)//If wordCount is 12 then the dialect is "NT LM 0.12" or later
{
base.SecurityBlobLength = Utils.ByteConverter.ToUInt16(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex + 14, true);
int packetIndex = parentCifsPacket.parametersStartIndex + 26 + base.SecurityBlobLength;
if (parentCifsPacket.Flags2UnicodeStrings && ((packetIndex - parentCifsPacket.PacketStartIndex) % 2 == 1))
{
packetIndex++;//must start on a word boundrary (2 bytes)
}
this.nativeOs = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
this.nativeLanManager = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
}
else if (parentCifsPacket.WordCount == 13)//smb.wct == 13
{
ushort ansiPasswordLength = Utils.ByteConverter.ToUInt16(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex + 14, true);
ushort unicodePasswordLength = Utils.ByteConverter.ToUInt16(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex + 16, true);
if (ansiPasswordLength > 0)
{
//this.accountPassword=ByteConverter.ReadString(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex+28, ansiPasswordLength);
this.accountPassword = Utils.ByteConverter.ReadHexString(parentCifsPacket.ParentFrame.Data, ansiPasswordLength, parentCifsPacket.parametersStartIndex + 28);
}
if (unicodePasswordLength > 0)
{
string decodedPassword = accountPassword = Utils.ByteConverter.ReadString(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex + 28 + ansiPasswordLength, unicodePasswordLength, true, false);
string hexPassword = accountPassword = Utils.ByteConverter.ReadHexString(parentCifsPacket.ParentFrame.Data, unicodePasswordLength, parentCifsPacket.parametersStartIndex + 28 + ansiPasswordLength);
//this.accountPassword=decodedPassword+" (HEX: "+hexPassword+")";
this.accountPassword = hexPassword;
}
int packetIndex = parentCifsPacket.parametersStartIndex + 28 + ansiPasswordLength + unicodePasswordLength;
//I think we need an even word boundary (stupid SMB spec!)
if (parentCifsPacket.Flags2UnicodeStrings && ((packetIndex - parentCifsPacket.PacketStartIndex) % 2 == 1))
{
packetIndex++;
}
if (unicodePasswordLength > 0)
{
this.accountName = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
this.primaryDomain = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
this.nativeOs = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
this.nativeLanManager = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
}
else
{
this.accountName = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, false, true);
this.primaryDomain = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, false, true);
this.nativeOs = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, false, true);
this.nativeLanManager = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, false, true);
}
}
if (base.SecurityBlobLength > 0)
{
base.SecurityBlobIndex = parentCifsPacket.parametersStartIndex + 2 + parentCifsPacket.WordCount * 2;
}
if (!this.ParentFrame.QuickParse)
{
if (accountName != null && accountName.Length > 0)
{
this.Attributes.Add("Account Name", accountName);
}
if (primaryDomain != null && primaryDomain.Length > 0)
{
this.Attributes.Add("Primary Domain", primaryDomain);
}
if (nativeOs != null && nativeOs.Length > 0)
{
this.Attributes.Add("Native OS", nativeOs);
}
if (nativeLanManager != null && nativeLanManager.Length > 0)
{
this.Attributes.Add("Native LAN Manager", nativeLanManager);
}
}
//note: if an older dialect is used then the securityBlobLength will contain the value for PasswordLength (Account password size)
}