Пример #1
0
 internal AbstractSmbCommand(CifsPacket parentCifsPacket, string packetTypeDescription)
     : base(parentCifsPacket.ParentFrame, parentCifsPacket.ParametersStartIndex, parentCifsPacket.ParentFrame.Data.Length - 1, packetTypeDescription)
 {
     this.parentCifsPacket   = parentCifsPacket;
     this.securityBlobIndex  = null;
     this.securityBlobLength = 0;
 }
Пример #2
0
        public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference)
        {
            if (includeSelfReference)
            {
                yield return(this);
            }

            if (this.messageType == 0x00 && PacketStartIndex + 4 < PacketEndIndex)
            {
                AbstractPacket packet;

                try {
                    packet = new CifsPacket(ParentFrame, PacketStartIndex + 4, PacketEndIndex);
                }
                catch {
                    packet = new RawPacket(ParentFrame, PacketStartIndex + 4, PacketEndIndex);
                }

                yield return(packet);

                foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
                {
                    yield return(subPacket);
                }
            }
        }
Пример #3
0
            internal ReadAndXResponse(CifsPacket parentCifsPacket)
                : base(parentCifsPacket, "CIFS Read AndX Response")
            {
                //SE TILL ATT ram_load.sh kan extraheras (smb.fid == 0x21a0)

                this.dataLenght = Utils.ByteConverter.ToUInt16(ParentFrame.Data, parentCifsPacket.parametersStartIndex + 10, true);
                this.dataOffset = Utils.ByteConverter.ToUInt16(ParentFrame.Data, parentCifsPacket.parametersStartIndex + 12, true);
            }
Пример #4
0
 internal CloseRequest(CifsPacket parentCifsPacket)
     : base(parentCifsPacket, "Close Request")
 {
     this.fileId = Utils.ByteConverter.ToUInt16(ParentFrame.Data, parentCifsPacket.parametersStartIndex, true);
     if (!this.ParentFrame.QuickParse)
     {
         base.Attributes.Add("File ID", "0x" + fileId.ToString("X2"));
     }
 }
Пример #5
0
 internal NTCreateAndXResponse(CifsPacket parentCifsPacket)
     : base(parentCifsPacket, "NT Create AndX Response")
 {
     this.fileId = Utils.ByteConverter.ToUInt16(ParentFrame.Data, parentCifsPacket.parametersStartIndex + 5, true);
     if (!this.ParentFrame.QuickParse)
     {
         base.Attributes.Add("File ID", "0x" + fileId.ToString("X2"));
     }
     this.endOfFile = Utils.ByteConverter.ToUInt64(ParentFrame.Data, parentCifsPacket.parametersStartIndex + 55, true);
 }
Пример #6
0
            internal NegotiateProtocolRequest(CifsPacket parentCifsPacket)
                : base(parentCifsPacket, "CIFS Negotiate Protocol Request")
            {
                this.dialectList = new List <string>();
                ushort byteCount = Utils.ByteConverter.ToUInt16(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex, true);


                int packetIndex        = parentCifsPacket.ParametersStartIndex + 2;//It now points to the first BufferFormat in Dialects[]
                int dialectsStartIndex = packetIndex;

                packetIndex++;//I've now skipped pased the first 0x02 (buffer format)
                while (packetIndex - dialectsStartIndex < byteCount && packetIndex < parentCifsPacket.ParentFrame.Data.Length)
                {
                    string dialectName = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex);
                    this.dialectList.Add(dialectName);
                    packetIndex++;//skip the next 0x02 buffer format
                }
            }
Пример #7
0
            //internal string FileId { get { return this.fileId; } }

            internal NTCreateAndXRequest(CifsPacket parentCifsPacket)
                : base(parentCifsPacket, "CIFS NT Create AndX Request")
            {
                if (parentCifsPacket.WordCount == 24)
                {
                    //int nameLength=ParentFrame.Data[PacketStartIndex+37];
                    int nameLength    = ParentFrame.Data[parentCifsPacket.ParametersStartIndex + 5];
                    int fileNameIndex = parentCifsPacket.BufferStartIndex;

                    this.filename = parentCifsPacket.DecodeBufferString();
                    //NetBiosPacket.DecodeNetBiosName(ParentFrame, ref fileNameIndex);
                    if (!this.ParentFrame.QuickParse)
                    {
                        this.Attributes.Add("Filename", this.filename);
                    }
                }
                else
                {
                    throw new Exception("Word Cound is not 24 (" + parentCifsPacket.WordCount.ToString() + ")");
                }
            }
Пример #8
0
            internal SetupAndXResponse(CifsPacket parentCifsPacket)
                : base(parentCifsPacket, "CIFS Setup AndX Response")
            {
                this.nativeOs         = null;
                this.nativeLanManager = null;
                this.primaryDomain    = null;



                //OK, a big problem here is that I don't at this level know which protocol has been negotiated for the SMB session...
                //A good way to solve that problem is to look at the WordCount (number of parameters)
                if (parentCifsPacket.WordCount == 3)//If wordCount is 3 then the dialect is prior to "NT LM 0.12"
                {
                    int packetIndex = parentCifsPacket.parametersStartIndex + 9;
                    this.nativeOs         = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                    this.nativeLanManager = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                    this.primaryDomain    = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                }
                else if (parentCifsPacket.WordCount == 4)//If wordCount is 4 then the dialect is "NT LM 0.12" or later
                {
                    base.SecurityBlobLength = Utils.ByteConverter.ToUInt16(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex + 6, true);

                    int packetIndex = parentCifsPacket.parametersStartIndex + 10 + base.SecurityBlobLength;
                    if (parentCifsPacket.Flags2UnicodeStrings && ((packetIndex - parentCifsPacket.PacketStartIndex) % 2 == 1))
                    {
                        packetIndex++;//must start on a word boundrary (2 bytes)
                    }
                    this.nativeOs         = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                    this.nativeLanManager = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                    this.primaryDomain    = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                }

                if (base.SecurityBlobLength > 0)
                {
                    base.SecurityBlobIndex = parentCifsPacket.parametersStartIndex + 2 + parentCifsPacket.WordCount * 2;
                }
            }
Пример #9
0
 internal NegotiateProtocolResponse(CifsPacket parentCifsPacket)
     : base(parentCifsPacket, "CIFS Negotiate Protocol Response")
 {
     this.dialectIndex = Utils.ByteConverter.ToUInt16(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex, true);
 }
Пример #10
0
            internal SetupAndXRequest(CifsPacket parentCifsPacket)
                : base(parentCifsPacket, "CIFS Setup AndX Request")
            {
                this.nativeOs         = null;
                this.nativeLanManager = null;
                this.accountName      = null;
                this.primaryDomain    = null;
                this.accountPassword  = null;



                //OK, a big problem here is that I don't at this level know which protocol has been negotiated for the SMB session...
                //A good way to solve that problem is to look at the WordCount (number of parameters)
                if (parentCifsPacket.WordCount == 10)//If wordCount is 10 then the dialect is prior to "NT LM 0.12"
                {
                    ushort passwordLength = Utils.ByteConverter.ToUInt16(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex + 14, true);
                    int    packetIndex    = parentCifsPacket.parametersStartIndex + 22;
                    this.accountPassword = Utils.ByteConverter.ReadString(parentCifsPacket.ParentFrame.Data, ref packetIndex, passwordLength, false, true);
                    this.accountName     = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                    //I currently don't care about the primary domain...
                    this.primaryDomain    = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                    this.nativeOs         = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                    this.nativeLanManager = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                }
                else if (parentCifsPacket.WordCount == 12)//If wordCount is 12 then the dialect is "NT LM 0.12" or later
                {
                    base.SecurityBlobLength = Utils.ByteConverter.ToUInt16(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex + 14, true);
                    int packetIndex = parentCifsPacket.parametersStartIndex + 26 + base.SecurityBlobLength;
                    if (parentCifsPacket.Flags2UnicodeStrings && ((packetIndex - parentCifsPacket.PacketStartIndex) % 2 == 1))
                    {
                        packetIndex++;//must start on a word boundrary (2 bytes)
                    }
                    this.nativeOs         = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                    this.nativeLanManager = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                }
                else if (parentCifsPacket.WordCount == 13)//smb.wct == 13
                {
                    ushort ansiPasswordLength    = Utils.ByteConverter.ToUInt16(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex + 14, true);
                    ushort unicodePasswordLength = Utils.ByteConverter.ToUInt16(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex + 16, true);
                    if (ansiPasswordLength > 0)
                    {
                        //this.accountPassword=ByteConverter.ReadString(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex+28, ansiPasswordLength);
                        this.accountPassword = Utils.ByteConverter.ReadHexString(parentCifsPacket.ParentFrame.Data, ansiPasswordLength, parentCifsPacket.parametersStartIndex + 28);
                    }
                    if (unicodePasswordLength > 0)
                    {
                        string decodedPassword = accountPassword = Utils.ByteConverter.ReadString(parentCifsPacket.ParentFrame.Data, parentCifsPacket.parametersStartIndex + 28 + ansiPasswordLength, unicodePasswordLength, true, false);
                        string hexPassword     = accountPassword = Utils.ByteConverter.ReadHexString(parentCifsPacket.ParentFrame.Data, unicodePasswordLength, parentCifsPacket.parametersStartIndex + 28 + ansiPasswordLength);
                        //this.accountPassword=decodedPassword+" (HEX: "+hexPassword+")";
                        this.accountPassword = hexPassword;
                    }
                    int packetIndex = parentCifsPacket.parametersStartIndex + 28 + ansiPasswordLength + unicodePasswordLength;
                    //I think we need an even word boundary (stupid SMB spec!)
                    if (parentCifsPacket.Flags2UnicodeStrings && ((packetIndex - parentCifsPacket.PacketStartIndex) % 2 == 1))
                    {
                        packetIndex++;
                    }
                    if (unicodePasswordLength > 0)
                    {
                        this.accountName      = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                        this.primaryDomain    = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                        this.nativeOs         = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                        this.nativeLanManager = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, parentCifsPacket.Flags2UnicodeStrings, true);
                    }
                    else
                    {
                        this.accountName = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, false, true);

                        this.primaryDomain    = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, false, true);
                        this.nativeOs         = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, false, true);
                        this.nativeLanManager = Utils.ByteConverter.ReadNullTerminatedString(parentCifsPacket.ParentFrame.Data, ref packetIndex, false, true);
                    }
                }

                if (base.SecurityBlobLength > 0)
                {
                    base.SecurityBlobIndex = parentCifsPacket.parametersStartIndex + 2 + parentCifsPacket.WordCount * 2;
                }

                if (!this.ParentFrame.QuickParse)
                {
                    if (accountName != null && accountName.Length > 0)
                    {
                        this.Attributes.Add("Account Name", accountName);
                    }
                    if (primaryDomain != null && primaryDomain.Length > 0)
                    {
                        this.Attributes.Add("Primary Domain", primaryDomain);
                    }
                    if (nativeOs != null && nativeOs.Length > 0)
                    {
                        this.Attributes.Add("Native OS", nativeOs);
                    }
                    if (nativeLanManager != null && nativeLanManager.Length > 0)
                    {
                        this.Attributes.Add("Native LAN Manager", nativeLanManager);
                    }
                }

                //note: if an older dialect is used then the securityBlobLength will contain the value for PasswordLength (Account password size)
            }