Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add definitions for three new EFS RPC requests and responses #248

Merged
merged 5 commits into from
Mar 9, 2023
Merged

Add definitions for three new EFS RPC requests and responses #248

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
dcd357c
Add EfsRpcDecryptFileSrv request and response defs
zeroSteiner Dec 9, 2022
5417daa
Add EfsRpcQueryRecoveryAgents definitions
zeroSteiner Dec 15, 2022
2b63f76
Add EfsRpcQueryUsersOnFile definitions
zeroSteiner Feb 22, 2023
914d864
Add comments referring to the docs
zeroSteiner Feb 23, 2023
1a30558
Fix the definition to be a pointer
zeroSteiner Mar 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions lib/ruby_smb/dcerpc/encrypting_file_system.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,62 @@ module EncryptingFileSystem
OVERWRITE_HIDDEN = 0x00000004
EFS_DROP_ALTERNATE_STREAMS = 0x00000010

# [2.2.7 EFS_HASH_BLOB](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/242d857f-ac8e-4cc8-b5e4-9314a942f45e)
class EfsHashBlob < Ndr::NdrStruct
endian :little
default_parameter byte_align: 4

ndr_uint32 :cb_data
ndr_byte_conf_array_ptr :b_data
end

class EfsHashBlobPtr < EfsHashBlob
extend Ndr::PointerClassPlugin
end

# [2.2.10 ENCRYPTION_CERTIFICATE_HASH](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/3a7e7151-edcb-4b32-a119-35cdce1584c0)
class EncryptionCertificateHash < Ndr::NdrStruct
endian :little
default_parameter byte_align: 4

ndr_uint32 :cb_total_length
prpc_sid :user_sid
efs_hash_blob_ptr :certificate_hash
ndr_wide_stringz_ptr :lp_display_information
end

class EncryptionCertificateHashPtr < EncryptionCertificateHash
extend Ndr::PointerClassPlugin
end

class EncryptionCertificateHashPtrArrayPtr < Ndr::NdrConfArray
default_parameter type: :encryption_certificate_hash_ptr
extend Ndr::PointerClassPlugin
end

# [2.2.11 ENCRYPTION_CERTIFICATE_HASH_LIST](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/2718804c-6ab9-45fd-98cf-541bc3b6bc75)
class EncryptionCertificateHashList < BinData::Record
endian :little
default_parameter byte_align: 4

uint32 :ncert_hash
encryption_certificate_hash_ptr_array_ptr :users
end

class EncryptionCertificateHashListPtr < EncryptionCertificateHashList
extend Ndr::PointerClassPlugin
end

require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_decrypt_file_srv_request'
require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_decrypt_file_srv_response'
require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_encrypt_file_srv_request'
require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_encrypt_file_srv_response'
require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_open_file_raw_request'
require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_open_file_raw_response'
require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_recover_agents_request'
require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_recover_agents_response'
require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_users_on_file_request'
require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_users_on_file_response'
end
end
end
22 changes: 22 additions & 0 deletions lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_decrypt_file_srv_request.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
module RubySMB
module Dcerpc
module EncryptingFileSystem

# [3.1.4.2.6 Receiving an EfsRpcDecryptFileSrv Message (Opnum 5)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/043715de-caee-402a-a61b-921743337e78)
class EfsRpcDecryptFileSrvRequest < BinData::Record
attr_reader :opnum

endian :little

ndr_conf_var_wide_stringz :file_name
ndr_uint32 :open_flag

def initialize_instance
super
@opnum = EFS_RPC_DECRYPT_FILE_SRV
end
end

end
end
end
21 changes: 21 additions & 0 deletions lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_decrypt_file_srv_response.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
module RubySMB
module Dcerpc
module EncryptingFileSystem

# [3.1.4.2.6 Receiving an EfsRpcDecryptFileSrv Message (Opnum 5)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/043715de-caee-402a-a61b-921743337e78)
class EfsRpcDecryptFileSrvResponse < BinData::Record
attr_reader :opnum

endian :little

ndr_uint32 :error_status

def initialize_instance
super
@opnum = EFS_RPC_DECRYPT_FILE_SRV
end
end

end
end
end
20 changes: 20 additions & 0 deletions lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_recover_agents_request.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
module RubySMB
module Dcerpc
module EncryptingFileSystem

# [3.1.4.2.8 Receiving an EfsRpcQueryRecoveryAgents Message (Opnum 7)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/cf759c00-1b90-4c33-9ace-f51c20149cea)
class EfsRpcQueryRecoveryAgentsRequest < BinData::Record
attr_reader :opnum

endian :little

ndr_conf_var_wide_stringz :file_name

def initialize_instance
super
@opnum = EFS_RPC_QUERY_RECOVERY_AGENTS
end
end
end
end
end
21 changes: 21 additions & 0 deletions lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_recover_agents_response.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
module RubySMB
module Dcerpc
module EncryptingFileSystem

# [3.1.4.2.8 Receiving an EfsRpcQueryRecoveryAgents Message (Opnum 7)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/cf759c00-1b90-4c33-9ace-f51c20149cea)
class EfsRpcQueryRecoveryAgentsResponse < BinData::Record
attr_reader :opnum

endian :little

encryption_certificate_hash_list_ptr :recover_agents
ndr_uint32 :error_status

def initialize_instance
super
@opnum = EFS_RPC_QUERY_RECOVERY_AGENTS
end
end
end
end
end
20 changes: 20 additions & 0 deletions lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_users_on_file_request.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
module RubySMB
module Dcerpc
module EncryptingFileSystem

# [3.1.4.2.7 Receiving an EfsRpcQueryUsersOnFile Message (Opnum 6)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/a058dc6c-bb7e-491c-9143-a5cb1f7e7cea)
class EfsRpcQueryUsersOnFileRequest < BinData::Record
attr_reader :opnum

endian :little

ndr_conf_var_wide_stringz :file_name

def initialize_instance
super
@opnum = EFS_RPC_QUERY_USERS_ON_FILE
end
end
end
end
end
21 changes: 21 additions & 0 deletions lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_users_on_file_response.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
module RubySMB
module Dcerpc
module EncryptingFileSystem

# [3.1.4.2.7 Receiving an EfsRpcQueryUsersOnFile Message (Opnum 6)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/a058dc6c-bb7e-491c-9143-a5cb1f7e7cea)
class EfsRpcQueryUsersOnFileResponse < BinData::Record
attr_reader :opnum

endian :little

encryption_certificate_hash_list_ptr :users
ndr_uint32 :error_status

def initialize_instance
super
@opnum = EFS_RPC_QUERY_USERS_ON_FILE
end
end
end
end
end