diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 70feb4049e..7df08dd7ef 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -43,6 +43,7 @@ @endif @load base/protocols/conn +@load base/protocols/dce-rpc @load base/protocols/dhcp @load base/protocols/dnp3 @load base/protocols/dns diff --git a/scripts/base/protocols/dce-rpc/__load__.bro b/scripts/base/protocols/dce-rpc/__load__.bro new file mode 100644 index 0000000000..1d47f6e0cd --- /dev/null +++ b/scripts/base/protocols/dce-rpc/__load__.bro @@ -0,0 +1,2 @@ +@load ./consts +@load ./main diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro new file mode 100644 index 0000000000..bdef75b619 --- /dev/null +++ b/scripts/base/protocols/dce-rpc/consts.bro @@ -0,0 +1,1374 @@ + +module DCE_RPC; + +export { + const uuid_endpoint_map: table[string] of string = { + ["367abb81-9844-35f1-ad32-98f038001003"] = "svcctl", + ["86d35949-83c9-4044-b424-db363231fd0c"] = "ITaskSchedulerService", + ["378e52b0-c0a9-11cf-822d-00aa0051e40f"] = "sasec", + ["1ff70682-0a51-30e8-076d-740be8cee98b"] = "atsvc", + ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53"] = "idletask", + ["906b0ce0-c70b-1067-b317-00dd010662da"] = "IXnRemote", + ["ae33069b-a2a8-46ee-a235-ddfd339be281"] = "IRPCRemoteObject", + ["0b6edbfa-4a24-4fc6-8a23-942b1eca65d1"] = "IRPCAsyncNotify", + ["afa8bd80-7d8a-11c9-bef4-08002b102989"] = "mgmt", + ["f5cc59b4-4264-101a-8c59-08002b2f8426"] = "FrsRpc", + ["000001a0-0000-0000-c000-000000000046"] = "IRemoteSCMActivator", + ["00000143-0000-0000-c000-000000000046"] = "IRemUnknown2", + ["12345778-1234-abcd-ef00-0123456789ab"] = "lsarpc", + ["76f03f96-cdfd-44fc-a22c-64950a001209"] = "IRemoteWinspool", + ["12345678-1234-abcd-ef00-01234567cffb"] = "netlogon", + ["e3514235-4b06-11d1-ab04-00c04fc2dcd2"] = "drsuapi", + ["5261574a-4572-206e-b268-6b199213b4e4"] = "AsyncEMSMDB", + ["4d9f4ab8-7d1c-11cf-861e-0020af6e7c57"] = "IActivation", + ["99fcfec4-5260-101b-bbcb-00aa0021347a"] = "IObjectExporter", + ["e1af8308-5d1f-11c9-91a4-08002b14a0fa"] = "epmapper", + ["12345778-1234-abcd-ef00-0123456789ac"] = "samr", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = "srvsvc", + ["45f52c28-7f9f-101a-b52b-08002b2efabe"] = "winspipe", + ["6bffd098-a112-3610-9833-46c3f87e345a"] = "wkssvc", + ["3919286a-b10c-11d0-9ba8-00c04fd92ef5"] = "dssetup", + ["12345678-1234-abcd-ef00-0123456789ab"] = "spoolss", + + # Exchange + ["1544f5e0-613c-11d1-93df-00c04fd7bd09"] = "exchange_rfr", + ["f5cc5a18-4264-101a-8c59-08002b2f8426"] = "nspi", + ["a4f1db00-ca47-1067-b31f-00dd010662da"] = "exchange_mapi", + + # IWbem + ["9556dc99-828c-11cf-a37e-00aa003240c7"] = "IWbemServices", + ["f309ad18-d86a-11d0-a075-00c04fb68820"] = "IWbemLevel1Login", + ["d4781cd6-e5d3-44df-ad94-930efe48a887"] = "IWbemLoginClientID", + ["44aca674-e8fc-11d0-a07c-00c04fb68820"] = "IWbemContext interface", + ["674b6698-ee92-11d0-ad71-00c04fd8fdff"] = "IWbemContext unmarshaler", + ["dc12a681-737f-11cf-884d-00aa004b2e24"] = "IWbemClassObject interface", + ["4590f812-1d3a-11d0-891f-00aa004b2e24"] = "IWbemClassObject unmarshaler", + ["9a653086-174f-11d2-b5f9-00104b703efd"] = "IWbemClassObject interface", + ["c49e32c6-bc8b-11d2-85d4-00105a1f8304"] = "IWbemBackupRestoreEx interface", + ["7c857801-7381-11cf-884d-00aa004b2e24"] = "IWbemObjectSink interface", + ["027947e1-d731-11ce-a357-000000000001"] = "IEnumWbemClassObject interface", + ["44aca675-e8fc-11d0-a07c-00c04fb68820"] = "IWbemCallResult interface", + ["c49e32c7-bc8b-11d2-85d4-00105a1f8304"] = "IWbemBackupRestore interface", + ["a359dec5-e813-4834-8a2a-ba7f1d777d76"] = "IWbemBackupRestoreEx interface", + ["f1e9c5b2-f59b-11d2-b362-00105a1f8177"] = "IWbemRemoteRefresher interface", + ["2c9273e0-1dc3-11d3-b364-00105a1f8177"] = "IWbemRefreshingServices interface", + ["423ec01e-2e35-11d2-b604-00104b703efd"] = "IWbemWCOSmartEnum interface", + ["1c1c45ee-4395-11d2-b60b-00104b703efd"] = "IWbemFetchSmartEnum interface", + ["541679AB-2E5F-11d3-B34E-00104BCC4B4A"] = "IWbemLoginHelper interface", + # KMS? + ["51c82175-844e-4750-b0d8-ec255555bc06"] = "KMS", + + ["50abc2a4-574d-40b3-9d66-ee4fd5fba076"] = "dnsserver", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5"] = "AudioSrv", + ["c386ca3e-9061-4a72-821e-498d83be188f"] = "AudioRpc", + ["6bffd098-a112-3610-9833-012892020162"] = "browser", + ["91ae6020-9e3c-11cf-8d7c-00aa00c091be"] = "ICertPassage", + ["c8cb7687-e6d3-11d2-a958-00c04f682e16"] = "DAV RPC SERVICE", + ["82273fdc-e32a-18c3-3f78-827929dc23ea"] = "eventlog", + ["3d267954-eeb7-11d1-b94e-00c04fa3080d"] = "HydraLsPipe", + ["894de0c0-0d55-11d3-a322-00c04fa321a1"] = "InitShutdown", + ["d95afe70-a6d5-4259-822e-2c84da1ddb0d"] = "WindowsShutdown", + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b"] = "IKeySvc", + ["68b58241-c259-4f03-a2e5-a2651dcbc930"] = "IKeySvc2", + ["0d72a7d4-6148-11d1-b4aa-00c04fb66ea0"] = "ICertProtect", + ["f50aac00-c7f3-428e-a022-a6b71bfb9d43"] = "ICatDBSvc", + ["338cd001-2244-31f1-aaaa-900038001003"] = "winreg", + ["3dde7c30-165d-11d1-ab8f-00805f14db40"] = "BackupKey", # https://msdn.microsoft.com/en-us/library/cc224123.aspx + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5"] = "RpcSrvDHCPC", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6"] = "dhcpcsvc6", + ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8"] = "lcrpc", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed"] = "winstation_rpc", + ["12b81e99-f207-4a4c-85d3-77b42f76fd14"] = "ISeclogon", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c3"] = "NsiS", + ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3"] = "NsiC", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4"] = "NsiM", + ["17fdd703-1827-4e34-79d4-24a55c53bb37"] = "msgsvc", + ["5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc"] = "msgsvcsend", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b"] = "pnp", + ["57674cd0-5200-11ce-a897-08002b2e9c6d"] = "lls_license", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d"] = "llsrpc", + ["4fc742e0-4a10-11cf-8273-00aa004ae673"] = "netdfs", + ["83da7c00-e84f-11d2-9807-00c04f8ec850"] = "sfcapi", + ["2f5f3220-c126-1076-b549-074d078619da"] = "nddeapi", + } &redef &default=function(uuid: string): string { return fmt("unknown-%s", uuid); }; + + const operations: table[string,count] of string = { + # atsvc + ["1ff70682-0a51-30e8-076d-740be8cee98b",0] = "NetrJobAdd", + ["1ff70682-0a51-30e8-076d-740be8cee98b",1] = "NetrJobDel", + ["1ff70682-0a51-30e8-076d-740be8cee98b",2] = "NetrJobEnum", + ["1ff70682-0a51-30e8-076d-740be8cee98b",3] = "NetrJobGetInfo", + + # sasec + ["378e52b0-c0a9-11cf-822d-00aa0051e40f",0] = "SASetAccountInformation", + ["378e52b0-c0a9-11cf-822d-00aa0051e40f",1] = "SASetNSAccountInformation", + ["378e52b0-c0a9-11cf-822d-00aa0051e40f",2] = "SAGetNSAccountInformation", + ["378e52b0-c0a9-11cf-822d-00aa0051e40f",3] = "SAGetAccountInformation", + + # idletask + ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53",0] = "ItSrvRegisterIdleTask", + ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53",1] = "ItSrvUnregisterIdleTask", + ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53",2] = "ItSrvProcessIdleTasks", + ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53",3] = "ItSrvSetDetectionParameters", + + # ITaskSchedulerService + ["86d35949-83c9-4044-b424-db363231fd0c",0] = "SchRpcHighestVersion", + ["86d35949-83c9-4044-b424-db363231fd0c",1] = "SchRpcRegisterTask", + ["86d35949-83c9-4044-b424-db363231fd0c",2] = "SchRpcRetrieveTask", + ["86d35949-83c9-4044-b424-db363231fd0c",3] = "SchRpcCreateFolder", + ["86d35949-83c9-4044-b424-db363231fd0c",4] = "SchRpcSetSecurity", + ["86d35949-83c9-4044-b424-db363231fd0c",5] = "SchRpcGetSecurity", + ["86d35949-83c9-4044-b424-db363231fd0c",6] = "SchRpcEnumFolder", + ["86d35949-83c9-4044-b424-db363231fd0c",7] = "SchRpcEnumTasks", + ["86d35949-83c9-4044-b424-db363231fd0c",8] = "SchRpcEnumInstances", + ["86d35949-83c9-4044-b424-db363231fd0c",9] = "SchRpcGetInstanceInfo", + ["86d35949-83c9-4044-b424-db363231fd0c",10] = "SchRpcStopInstance", + ["86d35949-83c9-4044-b424-db363231fd0c",11] = "SchRpcStop", + ["86d35949-83c9-4044-b424-db363231fd0c",12] = "SchRpcRun", + ["86d35949-83c9-4044-b424-db363231fd0c",13] = "SchRpcDelete", + ["86d35949-83c9-4044-b424-db363231fd0c",14] = "SchRpcRename", + ["86d35949-83c9-4044-b424-db363231fd0c",15] = "SchRpcScheduledRuntimes", + ["86d35949-83c9-4044-b424-db363231fd0c",16] = "SchRpcGetLastRunInfo", + ["86d35949-83c9-4044-b424-db363231fd0c",17] = "SchRpcGetTaskInfo", + + # IObjectExporter + ["99fcfec4-5260-101b-bbcb-00aa0021347a",0] = "ResolveOxid", + ["99fcfec4-5260-101b-bbcb-00aa0021347a",1] = "SimplePing", + ["99fcfec4-5260-101b-bbcb-00aa0021347a",2] = "ComplexPing", + ["99fcfec4-5260-101b-bbcb-00aa0021347a",3] = "ServerAlive", + ["99fcfec4-5260-101b-bbcb-00aa0021347a",4] = "ResolveOxid2", + ["99fcfec4-5260-101b-bbcb-00aa0021347a",5] = "ServerAlive2", + + # IActivation + ["4d9f4ab8-7d1c-11cf-861e-0020af6e7c57",0] = "RemoteActivation", + + # IRemoteSCMActivator + ["000001a0-0000-0000-c000-000000000046",3] = "RemoteGetClassObject", + ["000001a0-0000-0000-c000-000000000046",4] = "RemoteCreateInstance", + + # nspi + ["f5cc5a18-4264-101a-8c59-08002b2f8426",0] = "NspiBind", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",1] = "NspiUnbind", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",2] = "NspiUpdateStat", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",3] = "NspiQueryRows", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",4] = "NspiSeekEntries", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",5] = "NspiGetMatches", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",6] = "NspiResortRestriction", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",7] = "NspiDNToEph", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",8] = "NspiGetPropList", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",9] = "NspiGetProps", + + # IWbemServices + ["9556dc99-828c-11cf-a37e-00aa003240c7",3] = "OpenNamespace", + ["9556dc99-828c-11cf-a37e-00aa003240c7",4] = "CancelAsyncCall", + ["9556dc99-828c-11cf-a37e-00aa003240c7",5] = "QueryObjectSink", + ["9556dc99-828c-11cf-a37e-00aa003240c7",6] = "GetObject", + ["9556dc99-828c-11cf-a37e-00aa003240c7",7] = "GetObjectAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",8] = "PutClass", + ["9556dc99-828c-11cf-a37e-00aa003240c7",9] = "PutClassAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",10] = "DeleteClass", + ["9556dc99-828c-11cf-a37e-00aa003240c7",11] = "DeleteClassAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",12] = "CreateClassEnum", + ["9556dc99-828c-11cf-a37e-00aa003240c7",13] = "CreateClassEnumAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",14] = "PutInstance", + ["9556dc99-828c-11cf-a37e-00aa003240c7",15] = "PutInstanceAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",16] = "DeleteClass", + ["9556dc99-828c-11cf-a37e-00aa003240c7",17] = "DeleteClassAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",18] = "CreateInstanceEnum", + ["9556dc99-828c-11cf-a37e-00aa003240c7",19] = "CreateInstanceEnumAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",20] = "ExecQuery", + ["9556dc99-828c-11cf-a37e-00aa003240c7",21] = "ExecQueryAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",22] = "ExecNotificationQuery", + ["9556dc99-828c-11cf-a37e-00aa003240c7",23] = "ExecNotificationQueryAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",24] = "ExecMethod", + ["9556dc99-828c-11cf-a37e-00aa003240c7",25] = "ExecMethodAsync", + + # IWbemLevel1Login + ["f309ad18-d86a-11d0-a075-00c04fb68820",3] = "EstablishPosition", + ["f309ad18-d86a-11d0-a075-00c04fb68820",4] = "RequestChallenge", + ["f309ad18-d86a-11d0-a075-00c04fb68820",5] = "WBEMLogin", + ["f309ad18-d86a-11d0-a075-00c04fb68820",6] = "NTLMLogin", + + # FrsRpc + ["f5cc59b4-4264-101a-8c59-08002b2f8426",0] = "FrsRpcSendCommPkt", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",1] = "FrsRpcVerifyPromotionParent", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",2] = "FrsRpcStartPromotionParent", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",3] = "FrsNOP", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",4] = "FrsBackupComplete", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",5] = "FrsBackupComplete", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",6] = "FrsBackupComplete", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",7] = "FrsBackupComplete", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",8] = "FrsBackupComplete", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",9] = "FrsBackupComplete", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",10] = "FrsRpcVerifyPromotionParentEx", + + # IRemUnknown2 + ["00000143-0000-0000-c000-000000000046",0] = "QueryInterface", + ["00000143-0000-0000-c000-000000000046",1] = "AddRef", + ["00000143-0000-0000-c000-000000000046",2] = "Release", + ["00000143-0000-0000-c000-000000000046",3] = "RemQueryInterface", + ["00000143-0000-0000-c000-000000000046",4] = "RemAddRef", + ["00000143-0000-0000-c000-000000000046",5] = "RemRelease", + ["00000143-0000-0000-c000-000000000046",6] = "RemQueryInterface2", + + # IRemoteSCMActivator + ["000001a0-0000-0000-c000-000000000046",0] = "QueryInterfaceIRemoteSCMActivator", + ["000001a0-0000-0000-c000-000000000046",1] = "AddRefIRemoteISCMActivator", + ["000001a0-0000-0000-c000-000000000046",2] = "ReleaseIRemoteISCMActivator", + #["000001a0-0000-0000-c000-000000000046",3] = "RemoteGetClassObject", + #["000001a0-0000-0000-c000-000000000046",4] = "RemoteCreateInstance", + + # netlogon + ["12345678-1234-abcd-ef00-01234567cffb",0] = "NetrLogonUasLogon", + ["12345678-1234-abcd-ef00-01234567cffb",1] = "NetrLogonUasLogoff", + ["12345678-1234-abcd-ef00-01234567cffb",2] = "NetrLogonSamLogon", + ["12345678-1234-abcd-ef00-01234567cffb",3] = "NetrLogonSamLogoff", + ["12345678-1234-abcd-ef00-01234567cffb",4] = "NetrServerReqChallenge", + ["12345678-1234-abcd-ef00-01234567cffb",5] = "NetrServerAuthenticate", + ["12345678-1234-abcd-ef00-01234567cffb",6] = "NetrServerPasswordSet", + ["12345678-1234-abcd-ef00-01234567cffb",7] = "NetrDatabaseDeltas", + ["12345678-1234-abcd-ef00-01234567cffb",8] = "NetrDatabaseSync", + ["12345678-1234-abcd-ef00-01234567cffb",9] = "NetrAccountDeltas", + ["12345678-1234-abcd-ef00-01234567cffb",10] = "NetrAccountSync", + ["12345678-1234-abcd-ef00-01234567cffb",11] = "NetrGetDCName", + ["12345678-1234-abcd-ef00-01234567cffb",12] = "NetrLogonControl", + ["12345678-1234-abcd-ef00-01234567cffb",13] = "NetrGetAnyDCName", + ["12345678-1234-abcd-ef00-01234567cffb",14] = "NetrLogonControl2", + ["12345678-1234-abcd-ef00-01234567cffb",15] = "NetrServerAuthenticate2", + ["12345678-1234-abcd-ef00-01234567cffb",16] = "NetrDatabaseSync2", + ["12345678-1234-abcd-ef00-01234567cffb",17] = "NetrDatabaseRedo", + ["12345678-1234-abcd-ef00-01234567cffb",18] = "NetrLogonControl2Ex", + ["12345678-1234-abcd-ef00-01234567cffb",19] = "NetrEnumerateTrustedDomains", + ["12345678-1234-abcd-ef00-01234567cffb",20] = "DsrGetDcName", + ["12345678-1234-abcd-ef00-01234567cffb",21] = "NetrLogonGetCapabilities", + ["12345678-1234-abcd-ef00-01234567cffb",22] = "NetrLogonSetServiceBits", + ["12345678-1234-abcd-ef00-01234567cffb",23] = "NetrLogonGetTrustRid", + ["12345678-1234-abcd-ef00-01234567cffb",24] = "NetrLogonComputeServerDigest", + ["12345678-1234-abcd-ef00-01234567cffb",25] = "NetrLogonComputeClientDigest", + ["12345678-1234-abcd-ef00-01234567cffb",26] = "NetrServerAuthenticate3", + ["12345678-1234-abcd-ef00-01234567cffb",27] = "DsrGetDcNameEx", + ["12345678-1234-abcd-ef00-01234567cffb",28] = "DsrGetSiteName", + ["12345678-1234-abcd-ef00-01234567cffb",29] = "NetrLogonGetDomainInfo", + ["12345678-1234-abcd-ef00-01234567cffb",30] = "NetrServerPasswordSet2", + ["12345678-1234-abcd-ef00-01234567cffb",31] = "NetrServerPasswordGet", + ["12345678-1234-abcd-ef00-01234567cffb",32] = "NetrLogonSendToSam", + ["12345678-1234-abcd-ef00-01234567cffb",33] = "DsrAddressToSiteNamesW", + ["12345678-1234-abcd-ef00-01234567cffb",34] = "DsrGetDcNameEx2", + ["12345678-1234-abcd-ef00-01234567cffb",35] = "NetrLogonGetTimeServiceParentDomain", + ["12345678-1234-abcd-ef00-01234567cffb",36] = "NetrEnumerateTrustedDomainsEx", + ["12345678-1234-abcd-ef00-01234567cffb",37] = "DsrAddressToSiteNamesExW", + ["12345678-1234-abcd-ef00-01234567cffb",38] = "DsrGetDcSiteCoverageW", + ["12345678-1234-abcd-ef00-01234567cffb",39] = "NetrLogonSamLogonEx", + ["12345678-1234-abcd-ef00-01234567cffb",40] = "DsrEnumerateDomainTrusts", + ["12345678-1234-abcd-ef00-01234567cffb",41] = "DsrDeregisterDnsHostRecords", + ["12345678-1234-abcd-ef00-01234567cffb",42] = "NetrServerTrustPasswordsGet", + ["12345678-1234-abcd-ef00-01234567cffb",43] = "DsrGetForestTrustInformation", + ["12345678-1234-abcd-ef00-01234567cffb",44] = "NetrGetForestTrustInformation", + ["12345678-1234-abcd-ef00-01234567cffb",45] = "NetrLogonSameLogonWithFlags", + ["12345678-1234-abcd-ef00-01234567cffb",46] = "NetrServerGetTrustInfo", + ["12345678-1234-abcd-ef00-01234567cffb",47] = "unused", + ["12345678-1234-abcd-ef00-01234567cffb",48] = "DsrUpdateReadOnlyServerDnsRecords", + ["12345678-1234-abcd-ef00-01234567cffb",49] = "NetrChainSetClientAttributes", + + # IRemoteWinspool + ["76f03f96-cdfd-44fc-a22c-64950a001209",0] = "RpcAsyncOpenPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",1] = "RpcAsyncAddPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",2] = "RpcAsyncSetJob", + ["76f03f96-cdfd-44fc-a22c-64950a001209",3] = "RpcAsyncGetJob", + ["76f03f96-cdfd-44fc-a22c-64950a001209",4] = "RpcAsyncEnumJobs", + ["76f03f96-cdfd-44fc-a22c-64950a001209",5] = "RpcAsyncAddJob", + ["76f03f96-cdfd-44fc-a22c-64950a001209",6] = "RpcAsyncScheduleJob", + ["76f03f96-cdfd-44fc-a22c-64950a001209",7] = "RpcAsyncDeletePrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",8] = "RpcAsyncSetPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",9] = "RpcAsyncGetPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",10] = "RpcAsyncStartDocPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",11] = "RpcAsyncStartPagePrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",12] = "RpcAsyncWritePrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",13] = "RpcAsyncEndPagePrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",14] = "RpcAsyncEndDocPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",15] = "RpcAsyncAbortPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",16] = "RpcAsyncGetPrinterData", + ["76f03f96-cdfd-44fc-a22c-64950a001209",17] = "RpcAsyncGetPrinterDataEx", + ["76f03f96-cdfd-44fc-a22c-64950a001209",18] = "RpcAsyncSetPrinterData", + ["76f03f96-cdfd-44fc-a22c-64950a001209",19] = "RpcAsyncSetPrinterDataEx", + ["76f03f96-cdfd-44fc-a22c-64950a001209",20] = "RpcAsyncClosePrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",21] = "RpcAsyncAddForm", + ["76f03f96-cdfd-44fc-a22c-64950a001209",22] = "RpcAsyncDeleteForm", + ["76f03f96-cdfd-44fc-a22c-64950a001209",23] = "RpcAsyncGetForm", + ["76f03f96-cdfd-44fc-a22c-64950a001209",24] = "RpcAsyncSetForm", + ["76f03f96-cdfd-44fc-a22c-64950a001209",25] = "RpcAsyncEnumForms", + ["76f03f96-cdfd-44fc-a22c-64950a001209",26] = "RpcAsyncGetPrinterDriver", + ["76f03f96-cdfd-44fc-a22c-64950a001209",27] = "RpcAsyncEnumPrinterData", + ["76f03f96-cdfd-44fc-a22c-64950a001209",28] = "RpcAsyncEnumPrinterDataEx", + ["76f03f96-cdfd-44fc-a22c-64950a001209",29] = "RpcAsyncEnumPrinterKey", + ["76f03f96-cdfd-44fc-a22c-64950a001209",30] = "RpcAsyncDeletePrinterData", + ["76f03f96-cdfd-44fc-a22c-64950a001209",31] = "RpcAsyncDeletePrinterDataEx", + ["76f03f96-cdfd-44fc-a22c-64950a001209",32] = "RpcAsyncDeletePrinterKey", + ["76f03f96-cdfd-44fc-a22c-64950a001209",33] = "RpcAsyncXcvData", + ["76f03f96-cdfd-44fc-a22c-64950a001209",34] = "RpcAsyncSendRecvBidiData", + ["76f03f96-cdfd-44fc-a22c-64950a001209",35] = "RpcAsyncCreatePrinterIC", + ["76f03f96-cdfd-44fc-a22c-64950a001209",36] = "RpcAsyncPlayGdiScriptOnPrinterIC", + ["76f03f96-cdfd-44fc-a22c-64950a001209",37] = "RpcAsyncDeletePrinterIC", + ["76f03f96-cdfd-44fc-a22c-64950a001209",38] = "RpcAsyncEnumPrinters", + ["76f03f96-cdfd-44fc-a22c-64950a001209",39] = "RpcAsyncAddPrinterDriver", + ["76f03f96-cdfd-44fc-a22c-64950a001209",40] = "RpcAsyncEnumPrinterDrivers", + ["76f03f96-cdfd-44fc-a22c-64950a001209",41] = "RpcAsyncGetPrinterDriverDirectory", + ["76f03f96-cdfd-44fc-a22c-64950a001209",42] = "RpcAsyncDeletePrinterDriver", + ["76f03f96-cdfd-44fc-a22c-64950a001209",43] = "RpcAsyncDeletePrinterDriverEx", + ["76f03f96-cdfd-44fc-a22c-64950a001209",44] = "RpcAsyncAddPrintProcessor", + ["76f03f96-cdfd-44fc-a22c-64950a001209",45] = "RpcAsyncEnumPrintProcessors", + ["76f03f96-cdfd-44fc-a22c-64950a001209",46] = "RpcAsyncGetPrintProcessorDirectory", + ["76f03f96-cdfd-44fc-a22c-64950a001209",47] = "RpcAsyncEnumPorts", + ["76f03f96-cdfd-44fc-a22c-64950a001209",48] = "RpcAsyncEnumMonitors", + ["76f03f96-cdfd-44fc-a22c-64950a001209",49] = "RpcAsyncAddPort", + ["76f03f96-cdfd-44fc-a22c-64950a001209",50] = "RpcAsyncSetPort", + ["76f03f96-cdfd-44fc-a22c-64950a001209",51] = "RpcAsyncAddMonitor", + ["76f03f96-cdfd-44fc-a22c-64950a001209",52] = "RpcAsyncDeleteMonitor", + ["76f03f96-cdfd-44fc-a22c-64950a001209",53] = "RpcAsyncDeletePrintProcessor", + ["76f03f96-cdfd-44fc-a22c-64950a001209",54] = "RpcAsyncEnumPrintProcessorDatatypes", + ["76f03f96-cdfd-44fc-a22c-64950a001209",55] = "RpcAsyncAddPerMachineConnection", + ["76f03f96-cdfd-44fc-a22c-64950a001209",56] = "RpcAsyncDeletePerMachineConnection", + ["76f03f96-cdfd-44fc-a22c-64950a001209",57] = "RpcAsyncEnumPerMachineConnections", + ["76f03f96-cdfd-44fc-a22c-64950a001209",58] = "RpcSyncRegisterForRemoteNotifications", + ["76f03f96-cdfd-44fc-a22c-64950a001209",59] = "RpcSyncUnRegisterForRemoteNotifications", + ["76f03f96-cdfd-44fc-a22c-64950a001209",60] = "RpcSyncRefreshRemoteNotifications", + ["76f03f96-cdfd-44fc-a22c-64950a001209",61] = "RpcAsyncGetRemoteNotifications", + ["76f03f96-cdfd-44fc-a22c-64950a001209",62] = "RpcAsyncInstallPrinterDriverFromPackage", + ["76f03f96-cdfd-44fc-a22c-64950a001209",63] = "RpcAsyncUploadPrinterDriverPackage", + ["76f03f96-cdfd-44fc-a22c-64950a001209",64] = "RpcAsyncGetCorePrinterDrivers", + ["76f03f96-cdfd-44fc-a22c-64950a001209",65] = "RpcAsyncCorePrinterDriverInstalled", + ["76f03f96-cdfd-44fc-a22c-64950a001209",66] = "RpcAsyncGetPrinterDriverPackagePath", + ["76f03f96-cdfd-44fc-a22c-64950a001209",67] = "RpcAsyncDeletePrinterDriverPackage", + ["76f03f96-cdfd-44fc-a22c-64950a001209",68] = "RpcAsyncReadPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",69] = "RpcAsyncResetPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",70] = "RpcAsyncGetJobNamedPropertyValue", + ["76f03f96-cdfd-44fc-a22c-64950a001209",71] = "RpcAsyncSetJobNamedProperty", + ["76f03f96-cdfd-44fc-a22c-64950a001209",72] = "RpcAsyncDeleteJobNamedProperty", + ["76f03f96-cdfd-44fc-a22c-64950a001209",73] = "RpcAsyncEnumJobNamedProperties", + ["76f03f96-cdfd-44fc-a22c-64950a001209",74] = "RpcAsyncLogJobInfoForBranchOffice", + + # InitShutdown + ["894de0c0-0d55-11d3-a322-00c04fa321a1",0] = "BaseInitiateShutdown", + ["894de0c0-0d55-11d3-a322-00c04fa321a1",1] = "BaseAbortShutdown", + ["894de0c0-0d55-11d3-a322-00c04fa321a1",2] = "BaseInitiateShutdownEx", + + # WindowsShutdown + ["d95afe70-a6d5-4259-822e-2c84da1ddb0d",0x00] = "WsdrInitiateShutdown", + ["d95afe70-a6d5-4259-822e-2c84da1ddb0d",0x01] = "WsdrAbortShutdown", + + # spoolss + ["12345678-1234-abcd-ef00-0123456789ab",0x00] = "RpcEnumPrinters", + ["12345678-1234-abcd-ef00-0123456789ab",0x01] = "RpcOpenPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x02] = "RpcSetJob", + ["12345678-1234-abcd-ef00-0123456789ab",0x03] = "RpcGetJob", + ["12345678-1234-abcd-ef00-0123456789ab",0x04] = "RpcEnumJobs", + ["12345678-1234-abcd-ef00-0123456789ab",0x05] = "RpcAddPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x06] = "RpcDeletePrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x07] = "RpcSetPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x08] = "RpcGetPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x09] = "RpcAddPrinterDriver", + ["12345678-1234-abcd-ef00-0123456789ab",0x0a] = "RpcEnumPrinterDrivers", + ["12345678-1234-abcd-ef00-0123456789ab",0x0b] = "RpcGetPrinterDriver", + ["12345678-1234-abcd-ef00-0123456789ab",0x0c] = "RpcGetPrinterDriverDirectory", + ["12345678-1234-abcd-ef00-0123456789ab",0x0d] = "RpcDeletePrinterDriver", + ["12345678-1234-abcd-ef00-0123456789ab",0x0e] = "RpcAddPrintProcessor", + ["12345678-1234-abcd-ef00-0123456789ab",0x0f] = "RpcEnumPrintProcessors", + ["12345678-1234-abcd-ef00-0123456789ab",0x10] = "RpcGetPrintProcessorDirectory", + ["12345678-1234-abcd-ef00-0123456789ab",0x11] = "RpcStartDocPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x12] = "RpcStartPagePrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x13] = "RpcWritePrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x14] = "RpcEndPagePrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x15] = "RpcAbortPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x16] = "RpcReadPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x17] = "RpcEndDocPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x18] = "RpcAddJob", + ["12345678-1234-abcd-ef00-0123456789ab",0x19] = "RpcScheduleJob", + ["12345678-1234-abcd-ef00-0123456789ab",0x1a] = "RpcGetPrinterData", + ["12345678-1234-abcd-ef00-0123456789ab",0x1b] = "RpcSetPrinterData", + ["12345678-1234-abcd-ef00-0123456789ab",0x1c] = "RpcWaitForPrinterChange", + ["12345678-1234-abcd-ef00-0123456789ab",0x1d] = "RpcClosePrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x1e] = "RpcAddForm", + ["12345678-1234-abcd-ef00-0123456789ab",0x1f] = "RpcDeleteForm", + ["12345678-1234-abcd-ef00-0123456789ab",0x20] = "RpcGetForm", + ["12345678-1234-abcd-ef00-0123456789ab",0x21] = "RpcSetForm", + ["12345678-1234-abcd-ef00-0123456789ab",0x22] = "RpcEnumForms", + ["12345678-1234-abcd-ef00-0123456789ab",0x23] = "RpcEnumPorts", + ["12345678-1234-abcd-ef00-0123456789ab",0x24] = "RpcEnumMonitors", + ["12345678-1234-abcd-ef00-0123456789ab",0x25] = "RpcAddPort", + ["12345678-1234-abcd-ef00-0123456789ab",0x26] = "RpcConfigurePort", + ["12345678-1234-abcd-ef00-0123456789ab",0x27] = "RpcDeletePort", + ["12345678-1234-abcd-ef00-0123456789ab",0x28] = "RpcCreatePrinterIC", + ["12345678-1234-abcd-ef00-0123456789ab",0x29] = "RpcPlayGdiScriptOnPrinterIC", + ["12345678-1234-abcd-ef00-0123456789ab",0x2a] = "RpcDeletePrinterIC", + ["12345678-1234-abcd-ef00-0123456789ab",0x2b] = "RpcAddPrinterConnection", + ["12345678-1234-abcd-ef00-0123456789ab",0x2c] = "RpcDeletePrinterConnection", + ["12345678-1234-abcd-ef00-0123456789ab",0x2d] = "RpcPrinterMessageBox", + ["12345678-1234-abcd-ef00-0123456789ab",0x2e] = "RpcAddMonitor", + ["12345678-1234-abcd-ef00-0123456789ab",0x2f] = "RpcDeleteMonitor", + ["12345678-1234-abcd-ef00-0123456789ab",0x30] = "RpcDeletePrintProcessor", + ["12345678-1234-abcd-ef00-0123456789ab",0x31] = "RpcAddPrintProvidor", + ["12345678-1234-abcd-ef00-0123456789ab",0x32] = "RpcDeletePrintProvidor", + ["12345678-1234-abcd-ef00-0123456789ab",0x33] = "RpcEnumPrintProcessorDatatypes", + ["12345678-1234-abcd-ef00-0123456789ab",0x34] = "RpcResetPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x35] = "RpcGetPrinterDriver2", + ["12345678-1234-abcd-ef00-0123456789ab",0x36] = "RpcClientFindFirstPrinterChangeNotification", + ["12345678-1234-abcd-ef00-0123456789ab",0x37] = "RpcFindNextPrinterChangeNotification", + ["12345678-1234-abcd-ef00-0123456789ab",0x38] = "RpcFindClosePrinterChangeNotification", + ["12345678-1234-abcd-ef00-0123456789ab",0x39] = "RpcRouterFindFirstPrinterChangeNotificationOld", + ["12345678-1234-abcd-ef00-0123456789ab",0x3a] = "RpcReplyOpenPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x3b] = "RpcRouterReplyPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x3c] = "RpcReplyClosePrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x3d] = "RpcAddPortEx", + ["12345678-1234-abcd-ef00-0123456789ab",0x3e] = "RpcRemoteFindFirstPrinterChangeNotification", + ["12345678-1234-abcd-ef00-0123456789ab",0x3f] = "RpcSpoolerInit", + ["12345678-1234-abcd-ef00-0123456789ab",0x40] = "RpcResetPrinterEx", + ["12345678-1234-abcd-ef00-0123456789ab",0x41] = "RpcRemoteFindFirstPrinterChangeNotificationEx", + ["12345678-1234-abcd-ef00-0123456789ab",0x42] = "RpcRouterReplyPrinterEx", + ["12345678-1234-abcd-ef00-0123456789ab",0x43] = "RpcRouterRefreshPrinterChangeNotification", + ["12345678-1234-abcd-ef00-0123456789ab",0x44] = "RpcSetAllocFailCount", + ["12345678-1234-abcd-ef00-0123456789ab",0x45] = "RpcSplOpenPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x46] = "RpcAddPrinterEx", + ["12345678-1234-abcd-ef00-0123456789ab",0x47] = "RpcSetPort", + ["12345678-1234-abcd-ef00-0123456789ab",0x48] = "RpcEnumPrinterData", + ["12345678-1234-abcd-ef00-0123456789ab",0x49] = "RpcDeletePrinterData", + ["12345678-1234-abcd-ef00-0123456789ab",0x4a] = "RpcClusterSplOpen", + ["12345678-1234-abcd-ef00-0123456789ab",0x4b] = "RpcClusterSplClose", + ["12345678-1234-abcd-ef00-0123456789ab",0x4c] = "RpcClusterSplIsAlive", + ["12345678-1234-abcd-ef00-0123456789ab",0x4d] = "RpcSetPrinterDataEx", + ["12345678-1234-abcd-ef00-0123456789ab",0x4e] = "RpcGetPrinterDataEx", + ["12345678-1234-abcd-ef00-0123456789ab",0x4f] = "RpcEnumPrinterDataEx", + ["12345678-1234-abcd-ef00-0123456789ab",0x50] = "RpcEnumPrinterKey", + ["12345678-1234-abcd-ef00-0123456789ab",0x51] = "RpcDeletePrinterDataEx", + ["12345678-1234-abcd-ef00-0123456789ab",0x52] = "RpcDeletePrinterKey", + ["12345678-1234-abcd-ef00-0123456789ab",0x53] = "RpcSeekPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x54] = "RpcDeletePrinterDriverEx", + ["12345678-1234-abcd-ef00-0123456789ab",0x55] = "RpcAddPerMachineConnection", + ["12345678-1234-abcd-ef00-0123456789ab",0x56] = "RpcDeletePerMachineConnection", + ["12345678-1234-abcd-ef00-0123456789ab",0x57] = "RpcEnumPerMachineConnections", + ["12345678-1234-abcd-ef00-0123456789ab",0x58] = "RpcXcvData", + ["12345678-1234-abcd-ef00-0123456789ab",0x59] = "RpcAddPrinterDriverEx", + ["12345678-1234-abcd-ef00-0123456789ab",0x5a] = "RpcSplOpenPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x5b] = "RpcGetSpoolFileInfo", + ["12345678-1234-abcd-ef00-0123456789ab",0x5c] = "RpcCommitSpoolData", + ["12345678-1234-abcd-ef00-0123456789ab",0x5d] = "RpcCloseSpoolFileHandle", + ["12345678-1234-abcd-ef00-0123456789ab",0x5e] = "RpcFlushPrinter", + ["12345678-1234-abcd-ef00-0123456789ab",0x5f] = "RpcSendRecvBidiData", + ["12345678-1234-abcd-ef00-0123456789ab",0x60] = "RpcAddDriverCatalog", + ["12345678-1234-abcd-ef00-0123456789ab",0x61] = "RpcAddPrinterConnection2", + ["12345678-1234-abcd-ef00-0123456789ab",0x62] = "RpcDeletePrinterConnection2", + ["12345678-1234-abcd-ef00-0123456789ab",0x63] = "RpcInstallPrinterDriverFromPackage", + ["12345678-1234-abcd-ef00-0123456789ab",0x64] = "RpcUploadPrinterDriverPackage", + ["12345678-1234-abcd-ef00-0123456789ab",0x65] = "RpcGetCorePrinterDrivers", + ["12345678-1234-abcd-ef00-0123456789ab",0x66] = "RpcCorePrinterDriverInstalled", + ["12345678-1234-abcd-ef00-0123456789ab",0x67] = "RpcGetPrinterDriverPackagePath", + ["12345678-1234-abcd-ef00-0123456789ab",0x68] = "RpcReportJobProcessingProgress", + + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x00] = "NetrCharDevEnum", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x01] = "NetrCharDevGetInfo", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x02] = "NetrCharDevControl", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x03] = "NetrCharDevQEnum", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x04] = "NetrCharDevQGetInfo", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x05] = "NetrCharDevQSetInfo", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x06] = "NetrCharDevQPurge", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x07] = "NetrCharDevQPurgeSelf", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x08] = "NetrConnectionEnum", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x09] = "NetrFileEnum", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x0a] = "NetrFileGetInfo", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x0b] = "NetrFileClose", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x0c] = "NetrSessionEnum", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x0d] = "NetrSessionDel", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x0e] = "NetrShareAdd", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x0f] = "NetrShareEnum", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x10] = "NetrShareGetInfo", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x11] = "NetrShareSetInfo", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x12] = "NetrShareDel", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x13] = "NetrShareDelSticky", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x14] = "NetrShareCheck", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x15] = "NetrServerGetInfo", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x16] = "NetrServerSetInfo", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x17] = "NetrServerDiskEnum", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x18] = "NetrServerStatisticsGet", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x19] = "NetrServerTransportAdd", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x1a] = "NetrServerTransportEnum", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x1b] = "NetrServerTransportDel", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x1c] = "NetrRemoteTOD", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x1d] = "NetrServerSetServiceBits", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x1e] = "NetprPathType", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x1f] = "NetprPathCanonicalize", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x20] = "NetprPathCompare", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x21] = "NetprNameValidate", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x22] = "NetprNameCanonicalize", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x23] = "NetprNameCompare", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x24] = "NetrShareEnumSticky", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x25] = "NetrShareDelStart", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x26] = "NetrShareDelCommit", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x27] = "NetrpGetFileSecurity", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x28] = "NetrpSetFileSecurity", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x29] = "NetrServerTransportAddEx", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x2a] = "NetrServerSetServiceBitsEx", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x2b] = "NetrDfsGetVersion", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x2c] = "NetrDfsCreateLocalPartition", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x2d] = "NetrDfsDeleteLocalPartition", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x2e] = "NetrDfsSetLocalVolumeState", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x2f] = "NetrDfsSetServerInfo", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x30] = "NetrDfsCreateExitPoint", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x31] = "NetrDfsDeleteExitPoint", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x32] = "NetrDfsModifyPrefix", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x33] = "NetrDfsFixLocalVolume", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x34] = "NetrDfsManagerReportSiteInfo", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x35] = "NetrServerTransportDelEx", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x37] = "NetrServerAliasEnum", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x38] = "NetrServerAliasDel", + ["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x39] = "NetrShareDelEx", + + ["12345778-1234-abcd-ef00-0123456789ac",0x00] = "SamrConnect", + ["12345778-1234-abcd-ef00-0123456789ac",0x01] = "SamrCloseHandle", + ["12345778-1234-abcd-ef00-0123456789ac",0x02] = "SamrSetSecurityObject", + ["12345778-1234-abcd-ef00-0123456789ac",0x03] = "SamrQuerySecurityObject", + ["12345778-1234-abcd-ef00-0123456789ac",0x04] = "SamrShutdownSamServer", + ["12345778-1234-abcd-ef00-0123456789ac",0x05] = "SamrLookupDomainInSamServer", + ["12345778-1234-abcd-ef00-0123456789ac",0x06] = "SamrEnumerateDomainsInSamServer", + ["12345778-1234-abcd-ef00-0123456789ac",0x07] = "SamrOpenDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x08] = "SamrQueryInformationDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x09] = "SamrSetInformationDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x0a] = "SamrCreateGroupInDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x0b] = "SamrEnumerateGroupsInDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x0c] = "SamrCreateUserInDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x0d] = "SamrEnumerateUsersInDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x0e] = "SamrCreateAliasInDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x0f] = "SamrEnumerateAliasesInDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x10] = "SamrGetAliasMembership", + ["12345778-1234-abcd-ef00-0123456789ac",0x11] = "SamrLookupNamesInDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x12] = "SamrLookupIdsInDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x13] = "SamrOpenGroup", + ["12345778-1234-abcd-ef00-0123456789ac",0x14] = "SamrQueryInformationGroup", + ["12345778-1234-abcd-ef00-0123456789ac",0x15] = "SamrSetInformationGroup", + ["12345778-1234-abcd-ef00-0123456789ac",0x16] = "SamrAddMemberToGroup", + ["12345778-1234-abcd-ef00-0123456789ac",0x17] = "SamrDeleteGroup", + ["12345778-1234-abcd-ef00-0123456789ac",0x18] = "SamrRemoveMemberFromGroup", + ["12345778-1234-abcd-ef00-0123456789ac",0x19] = "SamrGetMembersInGroup", + ["12345778-1234-abcd-ef00-0123456789ac",0x1a] = "SamrSetMemberAttributesOfGroup", + ["12345778-1234-abcd-ef00-0123456789ac",0x1b] = "SamrOpenAlias", + ["12345778-1234-abcd-ef00-0123456789ac",0x1c] = "SamrQueryInformationAlias", + ["12345778-1234-abcd-ef00-0123456789ac",0x1d] = "SamrSetInformationAlias", + ["12345778-1234-abcd-ef00-0123456789ac",0x1e] = "SamrDeleteAlias", + ["12345778-1234-abcd-ef00-0123456789ac",0x1f] = "SamrAddMemberToAlias", + ["12345778-1234-abcd-ef00-0123456789ac",0x20] = "SamrRemoveMemberFromAlias", + ["12345778-1234-abcd-ef00-0123456789ac",0x21] = "SamrGetMembersInAlias", + ["12345778-1234-abcd-ef00-0123456789ac",0x22] = "SamrOpenUser", + ["12345778-1234-abcd-ef00-0123456789ac",0x23] = "SamrDeleteUser", + ["12345778-1234-abcd-ef00-0123456789ac",0x24] = "SamrQueryInformationUser", + ["12345778-1234-abcd-ef00-0123456789ac",0x25] = "SamrSetInformationUser", + ["12345778-1234-abcd-ef00-0123456789ac",0x26] = "SamrChangePasswordUser", + ["12345778-1234-abcd-ef00-0123456789ac",0x27] = "SamrGetGroupsForUser", + ["12345778-1234-abcd-ef00-0123456789ac",0x28] = "SamrQueryDisplayInformation", + ["12345778-1234-abcd-ef00-0123456789ac",0x29] = "SamrGetDisplayEnumerationIndex", + ["12345778-1234-abcd-ef00-0123456789ac",0x2a] = "SamrTestPrivateFunctionsDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x2b] = "SamrTestPrivateFunctionsUser", + ["12345778-1234-abcd-ef00-0123456789ac",0x2c] = "SamrGetUserDomainPasswordInformation", + ["12345778-1234-abcd-ef00-0123456789ac",0x2d] = "SamrRemoveMemberFromForeignDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x2e] = "SamrQueryInformationDomain2", + ["12345778-1234-abcd-ef00-0123456789ac",0x2f] = "SamrQueryInformationUser2", + ["12345778-1234-abcd-ef00-0123456789ac",0x30] = "SamrQueryDisplayInformation2", + ["12345778-1234-abcd-ef00-0123456789ac",0x31] = "SamrGetDisplayEnumerationIndex2", + ["12345778-1234-abcd-ef00-0123456789ac",0x32] = "SamrCreateUser2InDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x33] = "SamrQueryDisplayInformation3", + ["12345778-1234-abcd-ef00-0123456789ac",0x34] = "SamrAddMultipleMembersToAlias", + ["12345778-1234-abcd-ef00-0123456789ac",0x35] = "SamrRemoveMultipleMembersFromAlias", + ["12345778-1234-abcd-ef00-0123456789ac",0x36] = "SamrOemChangePasswordUser2", + ["12345778-1234-abcd-ef00-0123456789ac",0x37] = "SamrUnicodeChangePasswordUser2", + ["12345778-1234-abcd-ef00-0123456789ac",0x38] = "SamrGetDomainPasswordInformation", + ["12345778-1234-abcd-ef00-0123456789ac",0x39] = "SamrConnect2", + ["12345778-1234-abcd-ef00-0123456789ac",0x3a] = "SamrSetInformationUser2", + ["12345778-1234-abcd-ef00-0123456789ac",0x3b] = "SamrSetBootKeyInformation", + ["12345778-1234-abcd-ef00-0123456789ac",0x3c] = "SamrGetBootKeyInformation", + ["12345778-1234-abcd-ef00-0123456789ac",0x3d] = "SamrConnect3", + ["12345778-1234-abcd-ef00-0123456789ac",0x3e] = "SamrConnect4", + ["12345778-1234-abcd-ef00-0123456789ac",0x3f] = "SamrUnicodeChangePasswordUser3", + ["12345778-1234-abcd-ef00-0123456789ac",0x40] = "SamrConnect5", + ["12345778-1234-abcd-ef00-0123456789ac",0x41] = "SamrRidToSid", + ["12345778-1234-abcd-ef00-0123456789ac",0x42] = "SamrSetDSRMPassword", + ["12345778-1234-abcd-ef00-0123456789ac",0x43] = "SamrValidatePassword", + ["12345778-1234-abcd-ef00-0123456789ac",0x44] = "SamrQueryLocalizableAccountsInDomain", + ["12345778-1234-abcd-ef00-0123456789ac",0x45] = "SamrPerformGenericOperation", + + ["338cd001-2244-31f1-aaaa-900038001003",0x00] = "OpenClassesRoot", + ["338cd001-2244-31f1-aaaa-900038001003",0x01] = "OpenCurrentUser", + ["338cd001-2244-31f1-aaaa-900038001003",0x02] = "OpenLocalMachine", + ["338cd001-2244-31f1-aaaa-900038001003",0x03] = "OpenPerformanceData", + ["338cd001-2244-31f1-aaaa-900038001003",0x04] = "OpenUsers", + ["338cd001-2244-31f1-aaaa-900038001003",0x05] = "BaseRegCloseKey", + ["338cd001-2244-31f1-aaaa-900038001003",0x06] = "BaseRegCreateKey", + ["338cd001-2244-31f1-aaaa-900038001003",0x07] = "BaseRegDeleteKey", + ["338cd001-2244-31f1-aaaa-900038001003",0x08] = "BaseRegDeleteValue", + ["338cd001-2244-31f1-aaaa-900038001003",0x09] = "BaseRegEnumKey", + ["338cd001-2244-31f1-aaaa-900038001003",0x0a] = "BaseRegEnumValue", + ["338cd001-2244-31f1-aaaa-900038001003",0x0b] = "BaseRegFlushKey", + ["338cd001-2244-31f1-aaaa-900038001003",0x0c] = "BaseRegGetKeySecurity", + ["338cd001-2244-31f1-aaaa-900038001003",0x0d] = "BaseRegLoadKey", + ["338cd001-2244-31f1-aaaa-900038001003",0x0e] = "BaseRegNotifyChangeKeyValue", + ["338cd001-2244-31f1-aaaa-900038001003",0x0f] = "BaseRegOpenKey", + ["338cd001-2244-31f1-aaaa-900038001003",0x10] = "BaseRegQueryInfoKey", + ["338cd001-2244-31f1-aaaa-900038001003",0x11] = "BaseRegQueryValue", + ["338cd001-2244-31f1-aaaa-900038001003",0x12] = "BaseRegReplaceKey", + ["338cd001-2244-31f1-aaaa-900038001003",0x13] = "BaseRegRestoreKey", + ["338cd001-2244-31f1-aaaa-900038001003",0x14] = "BaseRegSaveKey", + ["338cd001-2244-31f1-aaaa-900038001003",0x15] = "BaseRegSetKeySecurity", + ["338cd001-2244-31f1-aaaa-900038001003",0x16] = "BaseRegSetValue", + ["338cd001-2244-31f1-aaaa-900038001003",0x17] = "BaseRegUnLoadKey", + ["338cd001-2244-31f1-aaaa-900038001003",0x18] = "BaseInitiateSystemShutdown", + ["338cd001-2244-31f1-aaaa-900038001003",0x19] = "BaseAbortSystemShutdown", + ["338cd001-2244-31f1-aaaa-900038001003",0x1a] = "BaseRegGetVersion", + ["338cd001-2244-31f1-aaaa-900038001003",0x1b] = "OpenCurrentConfig", + ["338cd001-2244-31f1-aaaa-900038001003",0x1c] = "OpenDynData", + ["338cd001-2244-31f1-aaaa-900038001003",0x1d] = "BaseRegQueryMultipleValues", + ["338cd001-2244-31f1-aaaa-900038001003",0x1e] = "BaseInitiateSystemShutdownEx", + ["338cd001-2244-31f1-aaaa-900038001003",0x1f] = "BaseRegSaveKeyEx", + ["338cd001-2244-31f1-aaaa-900038001003",0x20] = "OpenPerformanceText", + ["338cd001-2244-31f1-aaaa-900038001003",0x21] = "OpenPerformanceNlsText", + ["338cd001-2244-31f1-aaaa-900038001003",0x22] = "BaseRegQueryMultipleValues2", + ["338cd001-2244-31f1-aaaa-900038001003",0x23] = "BaseRegDeleteKeyEx", + + # dssetup + ["3919286a-b10c-11d0-9ba8-00c04fd92ef5",0x00] = "DsRolerGetPrimaryDomainInformation", + ["3919286a-b10c-11d0-9ba8-00c04fd92ef5",0x01] = "DsRolerDnsNameToFlatName", + ["3919286a-b10c-11d0-9ba8-00c04fd92ef5",0x02] = "DsRolerDcAsDc", + ["3919286a-b10c-11d0-9ba8-00c04fd92ef5",0x03] = "DsRolerDcAsReplica", + ["3919286a-b10c-11d0-9ba8-00c04fd92ef5",0x04] = "DsRolerDemoteDc", + ["3919286a-b10c-11d0-9ba8-00c04fd92ef5",0x05] = "DsRolerGetDcOperationProgress", + ["3919286a-b10c-11d0-9ba8-00c04fd92ef5",0x06] = "DsRolerGetDcOperationResults", + ["3919286a-b10c-11d0-9ba8-00c04fd92ef5",0x07] = "DsRolerCancel", + ["3919286a-b10c-11d0-9ba8-00c04fd92ef5",0x08] = "DsRolerServerSaveStateForUpgrade", + ["3919286a-b10c-11d0-9ba8-00c04fd92ef5",0x09] = "DsRolerUpgradeDownlevelServer", + ["3919286a-b10c-11d0-9ba8-00c04fd92ef5",0x0a] = "DsRolerAbortDownlevelServerUpgrade", + + # svcctl + ["367aeb81-9844-35f1-ad32-98f038001003",0x00] = "CloseServiceHandle", + ["367aeb81-9844-35f1-ad32-98f038001003",0x01] = "ControlService", + ["367aeb81-9844-35f1-ad32-98f038001003",0x02] = "DeleteService", + ["367aeb81-9844-35f1-ad32-98f038001003",0x03] = "LockServiceDatabase", + ["367aeb81-9844-35f1-ad32-98f038001003",0x04] = "QueryServiceObjectSecurity", + ["367aeb81-9844-35f1-ad32-98f038001003",0x05] = "SetServiceObjectSecurity", + ["367aeb81-9844-35f1-ad32-98f038001003",0x06] = "QueryServiceStatus", + ["367aeb81-9844-35f1-ad32-98f038001003",0x07] = "SetServiceStatus", + ["367aeb81-9844-35f1-ad32-98f038001003",0x08] = "UnlockServiceDatabase", + ["367aeb81-9844-35f1-ad32-98f038001003",0x09] = "NotifyBootConfigStatus", + ["367aeb81-9844-35f1-ad32-98f038001003",0x0a] = "ScSetServiceBitsW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x0b] = "ChangeServiceConfigW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x0c] = "CreateServiceW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x0d] = "EnumDependentServicesW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x0e] = "EnumServicesStatusW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x0f] = "OpenSCManagerW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x10] = "OpenServiceW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x11] = "QueryServiceConfigW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x12] = "QueryServiceLockStatusW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x13] = "StartServiceW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x14] = "GetServiceDisplayNameW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x15] = "GetServiceKeyNameW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x16] = "ScSetServiceBitsA", + ["367aeb81-9844-35f1-ad32-98f038001003",0x17] = "ChangeServiceConfigA", + ["367aeb81-9844-35f1-ad32-98f038001003",0x18] = "CreateServiceA", + ["367aeb81-9844-35f1-ad32-98f038001003",0x19] = "EnumDependentServicesA", + ["367aeb81-9844-35f1-ad32-98f038001003",0x1a] = "EnumServicesStatusA", + ["367aeb81-9844-35f1-ad32-98f038001003",0x1b] = "OpenSCManagerA", + ["367aeb81-9844-35f1-ad32-98f038001003",0x1c] = "OpenServiceA", + ["367aeb81-9844-35f1-ad32-98f038001003",0x1d] = "QueryServiceConfigA", + ["367aeb81-9844-35f1-ad32-98f038001003",0x1e] = "QueryServiceLockStatusA", + ["367aeb81-9844-35f1-ad32-98f038001003",0x1f] = "StartServiceA", + ["367aeb81-9844-35f1-ad32-98f038001003",0x20] = "GetServiceDisplayNameA", + ["367aeb81-9844-35f1-ad32-98f038001003",0x21] = "GetServiceKeyNameA", + ["367aeb81-9844-35f1-ad32-98f038001003",0x22] = "ScGetCurrentGroupStateW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x23] = "EnumServiceGroupW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x24] = "ChangeServiceConfig2A", + ["367aeb81-9844-35f1-ad32-98f038001003",0x25] = "ChangeServiceConfig2W", + ["367aeb81-9844-35f1-ad32-98f038001003",0x26] = "QueryServiceConfig2A", + ["367aeb81-9844-35f1-ad32-98f038001003",0x27] = "QueryServiceConfig2W", + ["367aeb81-9844-35f1-ad32-98f038001003",0x28] = "QueryServiceStatusEx", + ["367aeb81-9844-35f1-ad32-98f038001003",0x29] = "EnumServicesStatusExA", + ["367aeb81-9844-35f1-ad32-98f038001003",0x2a] = "EnumServicesStatusExW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x2b] = "ScSendTSMessage", + ["367aeb81-9844-35f1-ad32-98f038001003",0x2c] = "CreateServiceWOW64A", + ["367aeb81-9844-35f1-ad32-98f038001003",0x2d] = "CreateServiceWOW64W", + ["367aeb81-9844-35f1-ad32-98f038001003",0x2e] = "ScQueryServiceTagInfo", + ["367aeb81-9844-35f1-ad32-98f038001003",0x2f] = "NotifyServiceStatusChange", + ["367aeb81-9844-35f1-ad32-98f038001003",0x30] = "GetNotifyResult", + ["367aeb81-9844-35f1-ad32-98f038001003",0x31] = "CloseNotifyHandle", + ["367aeb81-9844-35f1-ad32-98f038001003",0x32] = "ControlServiceExA", + ["367aeb81-9844-35f1-ad32-98f038001003",0x33] = "ControlServiceExW", + ["367aeb81-9844-35f1-ad32-98f038001003",0x34] = "ScSendPnPMessage", + ["367aeb81-9844-35f1-ad32-98f038001003",0x35] = "ScValidatePnPService", + ["367aeb81-9844-35f1-ad32-98f038001003",0x36] = "ScOpenServiceStatusHandle", + + # browser + ["6bffd098-a112-3610-9833-012892020162",0x00] = "BrowserrServerEnum", + ["6bffd098-a112-3610-9833-012892020162",0x01] = "BrowserrDebugCall", + ["6bffd098-a112-3610-9833-012892020162",0x02] = "BrowserrQueryOtherDomains", + ["6bffd098-a112-3610-9833-012892020162",0x03] = "BrowserrResetNetlogonState", + ["6bffd098-a112-3610-9833-012892020162",0x04] = "BrowserrDebugTrace", + ["6bffd098-a112-3610-9833-012892020162",0x05] = "BrowserrQueryStatistics", + ["6bffd098-a112-3610-9833-012892020162",0x06] = "BrowserrResetStatistics", + ["6bffd098-a112-3610-9833-012892020162",0x07] = "NetrBrowserStatisticsClear", + ["6bffd098-a112-3610-9833-012892020162",0x08] = "NetrBrowserStatisticsGet", + ["6bffd098-a112-3610-9833-012892020162",0x09] = "BrowserrSetNetlogonState", + ["6bffd098-a112-3610-9833-012892020162",0x0a] = "BrowserrQueryEmulatedDomains", + ["6bffd098-a112-3610-9833-012892020162",0x0b] = "BrowserrServerEnumEx", + + # AudioSrv + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x00] = "gfxCreateZoneFactoriesList", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x01] = "gfxCreateGfxFactoriesList", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x02] = "gfxCreateGfxList", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x03] = "gfxRemoveGfx", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x04] = "gfxAddGfx", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x05] = "gfxModifyGx", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x06] = "gfxOpenGfx", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x07] = "gfxLogon", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x08] = "gfxLogoff", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x09] = "winmmRegisterSessionNotificationEvent", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x0a] = "winmmUnregisterSessionNotification", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x0b] = "winmmSessionConnectState", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x0c] = "wdmDriverOpenDrvRegKey", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x0d] = "winmmAdvisePreferredDeviceChange", + ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5",0x0e] = "winmmGetPnpInfo", + + # AudioRpc + ["c386ca3e-9061-4a72-821e-498d83be188f",0x00] = "AudioServerConnect", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x01] = "AudioServerDisconnect", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x02] = "AudioServerInitialize", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x03] = "AudioServerGetAudioSession", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x04] = "AudioServerCreateStream", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x05] = "AudioServerDestroyStream", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x06] = "AudioServerGetStreamLatency", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x07] = "AudioServerGetMixFormat", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x08] = "AudioServerIsFormatSupported", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x09] = "AudioServerGetDevicePeriod", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x0a] = "AudioVolumeGetMasterVolumeLevelScalar", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x0b] = "AudioSessionGetProcessId", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x0c] = "AudioSessionGetState", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x0d] = "AudioSessionGetLastActivation", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x0e] = "AudioSessionGetLastInactivation", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x0f] = "AudioSessionIsSystemSoundsSession", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x10] = "AudioSessionGetDisplayName", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x11] = "AudioSessionSetDisplayName", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x12] = "AudioSessionGetSessionClass", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x13] = "AudioSessionSetSessionClass", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x14] = "AudioSessionGetVolume", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x15] = "AudioSessionSetVolume", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x16] = "AudioSessionGetMute", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x17] = "AudioSessionSetMute", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x18] = "AudioSessionGetChannelCount", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x19] = "AudioSessionSetChannelVolume", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x1a] = "AudioSessionGetChannelVolume", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x1b] = "AudioSessionSetAllVolumes", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x1c] = "AudioSessionGetAllVolumes", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x1d] = "AudioServerDisconnect", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x1e] = "AudioServerGetMixFormat", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x1f] = "PolicyConfigGetDeviceFormat", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x20] = "PolicyConfigSetDeviceFormat", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x21] = "AudioServerGetDevicePeriod", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x22] = "PolicyConfigSetProcessingPeriod", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x23] = "PolicyConfigGetShareMode", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x24] = "PolicyConfigSetShareMode", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x25] = "GetAudioSessionManager", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x26] = "AudioSessionManagerDestroy", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x27] = "AudioSessionManagerGetAudioSession", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x28] = "AudioSessionManagerGetCurrentSession", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x29] = "AudioSessionManagerGetExistingSession", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x2a] = "AudioSessionManagerAddAudioSessionClientNotification", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x2b] = "AudioSessionManagerDeleteAudioSessionClientNotification", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x2c] = "AudioSessionManagerAddAudioSessionClientNotification", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x2d] = "AudioVolumeConnect", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x2e] = "AudioVolumeDisconnect", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x2f] = "AudioVolumeGetChannelCount", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x30] = "AudioVolumeSetMasterVolumeLevel", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x31] = "AudioVolumeSetMasterVolumeLevelScalar", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x32] = "AudioVolumeGetMasterVolumeLevel", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x33] = "AudioVolumeGetMasterVolumeLevelScalar", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x34] = "AudioVolumeSetChannelVolumeLevel", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x35] = "AudioVolumeSetChannelVolumeLevelScalar", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x36] = "AudioVolumeGetChannelVolumeLevel", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x37] = "AudioVolumeGetChannelVolumeLevelScalar", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x38] = "AudioVolumeSetMute", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x39] = "AudioSessionGetDisplayName", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x3a] = "AudioVolumeAddMasterVolumeNotification", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x3b] = "AudioVolumeDeleteMasterVolumeNotification", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x3c] = "AudioMeterGetAverageRMS", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x3d] = "AudioMeterGetChannelsRMS", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x3e] = "AudioMeterGetPeakValue", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x3f] = "AudioMeterGetChannelsPeakValues", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x40] = "AudioVolumeGetStepInfo", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x41] = "AudioVolumeStepUp", + ["c386ca3e-9061-4a72-821e-498d83be188f",0x42] = "AudioVolumeStepDown", + + # dhcpcsvc6 + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6",0x00] = "RpcSrvRequestPrefix", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6",0x01] = "RpcSrvRenewPrefix", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6",0x02] = "RpcSrvReleasePrefix", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6",0x03] = "RpcSrvRequestParams", + + # RpcSrvDHCPC + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x00] = "RpcSrvEnableDhcp", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x01] = "RpcSrvRenewLease", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x02] = "RpcSrvRenewLeaseByBroadcast", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x03] = "RpcSrvReleaseLease", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x04] = "RpcSrvSetFallbackParams", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x05] = "RpcSrvGetFallbackParams", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x06] = "RpcSrvFallbackRefreshParams", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x07] = "RpcSrvStaticRefreshParams", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x08] = "RpcSrvRemoveDnsRegistrations", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x09] = "RpcSrvRequestParams", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x0a] = "RpcSrvPersistentRequestParams", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x0b] = "RpcSrvRegisterParams", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x0c] = "RpcSrvDeRegisterParams", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x0d] = "RpcSrvEnumInterfaces", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x0e] = "RpcSrvQueryLeaseInfo", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x0f] = "RpcSrvSetClassId", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x10] = "RpcSrvGetClassId", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x11] = "RpcSrvSetClientId", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x12] = "RpcSrvGetClientId", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x13] = "RpcSrvNotifyMediaReconnected", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x14] = "RpcSrvGetOriginalSubnetMask", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x15] = "RpcSrvSetMSFTVendorSpecificOptions", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x16] = "RpcSrvRequestCachedParams", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x17] = "RpcSrvRegisterConnectionStateNotification", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x18] = "RpcSrvDeRegisterConnectionStateNotification", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x19] = "RpcSrvGetNotificationStatus", + ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5",0x1a] = "RpcSrvGetDhcpServicedConnections", + + # lcrpc + ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8",0x00] = "RpcLicensingOpenServer", + ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8",0x01] = "RpcLicensingCloseServer", + ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8",0x02] = "RpcLicensingLoadPolicy", + ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8",0x03] = "RpcLicensingUnloadPolicy", + ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8",0x04] = "RpcLicensingSetPolicy", + ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8",0x05] = "RpcLicensingGetAvailablePolicyIds", + ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8",0x06] = "RpcLicensingGetPolicy", + ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8",0x07] = "RpcLicensingGetPolicyInformation", + ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8",0x08] = "RpcLicensingDeactivateCurrentPolicy", + + # winstation_rpc + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x00] = "RpcWinStationOpenServer", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x01] = "RpcWinStationCloseServer", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x02] = "RpcIcaServerPing", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x03] = "RpcWinStationEnumerate", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x04] = "RpcWinStationRename", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x05] = "RpcWinStationQueryInformation", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x06] = "RpcWinStationSetInformation", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x07] = "RpcWinStationSendMessage", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x08] = "RpcLogonIdFromWinStationName", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x09] = "RpcWinStationNameFromLogonId", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x0a] = "RpcWinStationConnect", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x0b] = "RpcWinStationVirtualOpen", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x0c] = "RpcWinStationBeepOpen", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x0d] = "RpcWinStationDisconnect", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x0e] = "RpcWinStationReset", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x0f] = "RpcWinStationShutdownSystem", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x10] = "RpcWinStationWaitSystemEvent", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x11] = "RpcWinStationShadow", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x12] = "RpcWinStationShadowTargetSetup", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x13] = "RpcWinStationShadowTarget", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x14] = "RpcWinStationGenerateLicense", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x15] = "RpcWinStationInstallLicense", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x16] = "RpcWinStationEnumerateLicenses", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x17] = "RpcWinStationActivateLicense", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x18] = "RpcWinStationRemoveLicense", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x19] = "RpcWinStationQueryLicense", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x1a] = "RpcWinStationSetPoolCount", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x1b] = "RpcWinStationQueryUpdateRequired", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x1c] = "RpcWinStationCallback", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x1d] = "RpcWinStationGetApplicationInfo", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x1e] = "RpcWinStationReadRegistry", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x1f] = "RpcWinStationWaitForConnect", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x20] = "RpcWinStationNotifyLogon", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x21] = "RpcWinStationNotifyLogoff", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x22] = "RpcWinStationEnumerateProcesses", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x23] = "RpcWinStationAnnoyancePopup", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x24] = "RpcWinStationEnumerateProcesses", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x25] = "RpcWinStationTerminateProcess", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x26] = "RpcServerNWLogonSetAdmin", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x27] = "RpcServerNWLogonQueryAdmin", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x28] = "RpcWinStationNtsdDebug", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x29] = "RpcWinStationBreakPoint", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x2a] = "RpcWinStationCheckForApplicationName", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x2b] = "RpcWinStationGetAllProcesses", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x2c] = "RpcWinStationGetProcessSid", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x2d] = "RpcWinStationGetTermSrvCountersValue", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x2e] = "RpcWinStationReInitializeSecurity", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x2f] = "RpcWinStationBroadcastSystemMessage", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x30] = "RpcWinStationSendWindowMessage", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x31] = "RpcWinStationNotifyNewSession", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x32] = "RpcServerGetInternetConnectorStatus", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x33] = "RpcServerSetInternetConnectorStatus", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x34] = "RpcServerQueryInetConnectorInformation", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x35] = "RpcWinStationGetLanAdapterName", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x36] = "RpcWinStationUpdateUserConfig", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x37] = "RpcWinStationQueryLogonCredentials", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x38] = "RpcWinStationRegisterConsoleNotification", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x39] = "RpcWinStationUnRegisterConsoleNotification", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x3a] = "RpcWinStationUpdateSettings", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x3b] = "RpcWinStationShadowStop", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x3c] = "RpcWinStationCloseServerEx", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x3d] = "RpcWinStationIsHelpAssistantSession", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x3e] = "RpcWinStationGetMachinePolicy", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x3f] = "RpcWinStationUpdateClientCachedCredentials", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x40] = "RpcWinStationFUSCanRemoteUserDisconnect", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x41] = "RpcWinStationCheckLoopBack", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x42] = "RpcConnectCallback", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x43] = "RpcWinStationNotifyDisconnectPipe", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x44] = "RpcWinStationSessionInitialized", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x45] = "RpcRemoteAssistancePrepareSystemRestore", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x46] = "RpcWinStationGetAllProcesses_NT6", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x47] = "RpcWinStationRegisterNotificationEvent", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x48] = "RpcWinStationUnRegisterNotificationEvent", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x49] = "RpcWinStationAutoReconnect", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x4a] = "RpcWinStationCheckAccess", + ["5ca4a760-ebb1-11cf-8611-00a0245420ed",0x4b] = "RpcWinStationOpenSessionDirectory", + + # NsiS + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c3",0x00] = "nsi_binding_export", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c3",0x01] = "nsi_binding_unexport", + + # NsiC + ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3",0x00] = "nsi_binding_lookup_begin", + ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3",0x01] = "nsi_binding_lookup_done", + ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3",0x02] = "nsi_binding_lookup_next", + ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3",0x03] = "nsi_mgmt_handle_set_exp_age", + + # NsiM + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x00] = "nsi_group_delete", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x01] = "nsi_group_mbr_add", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x02] = "nsi_group_mbr_remove", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x03] = "nsi_group_mbr_inq_begin", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x04] = "nsi_group_mbr_inq_next", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x05] = "nsi_group_mbr_inq_done", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x06] = "nsi_profile_delete", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x07] = "nsi_profile_elt_add", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x08] = "nsi_profile_elt_remove", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x09] = "nsi_profile_elt_inq_begin", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x0a] = "nsi_profile_elt_inq_next", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x0b] = "nsi_profile_elt_inq_done", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x0c] = "nsi_entry_object_inq_begin", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x0d] = "nsi_entry_object_inq_next", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x0e] = "nsi_entry_object_inq_done", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x0f] = "nsi_entry_expand_name", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x10] = "nsi_mgmt_binding_unexport", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x11] = "nsi_mgmt_entry_delete", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x12] = "nsi_mgmt_entry_create", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x13] = "nsi_mgmt_entry_inq_if_ids", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x14] = "nsi_mgmt_inq_exp_age", + ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4",0x15] = "nsi_mgmt_inq_set_age", + + # eventlog + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x00] = "ElfrClearELFW", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x01] = "ElfrBackupELFW", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x02] = "ElfrCloseEL", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x03] = "ElfrDeregisterEventSource", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x04] = "ElfrNumberOfRecords", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x05] = "ElfrOldestRecord", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x06] = "ElfrChangeNotify", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x07] = "ElfrOpenELW", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x08] = "ElfrRegisterEventSourceW", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x09] = "ElfrOpenBELW", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x0a] = "ElfrReadELW", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x0b] = "ElfrReportEventW", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x0c] = "ElfrClearELFA", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x0d] = "ElfrBackupELFA", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x0e] = "ElfrOpenELA", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x0f] = "ElfrRegisterEventSourceA", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x10] = "ElfrOpenBELA", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x11] = "ElfrReadELA", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x12] = "ElfrReportEventA", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x13] = "ElfrRegisterClusterSvc", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x14] = "ElfrDeregisterClusterSvc", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x15] = "ElfrWriteClusterEvents", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x16] = "ElfrGetLogInformation", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x17] = "ElfrFlushEL", + ["82273fdc-e32a-18c3-3f78-827929dc23ea",0x18] = "ElfrReportEventAndSourceW", + + # ISeclogon + ["12b81e99-f207-4a4c-85d3-77b42f76fd14",0x00] = "SeclCreateProcessWithLogonW", + ["12b81e99-f207-4a4c-85d3-77b42f76fd14",0x01] = "SeclCreateProcessWithLogonExW", + + # IKeySvc + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b",0x00] = "KeyrOpenKeyService", + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b",0x01] = "KeyrEnumerateProviders", + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b",0x02] = "KeyrEnumerateProviderTypes", + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b",0x03] = "KeyrEnumerateProvContainers", + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b",0x04] = "KeyrCloseKeyService", + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b",0x05] = "KeyrGetDefaultProvider", + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b",0x06] = "KeyrSetDefaultProvider", + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b",0x07] = "KeyrEnroll", + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b",0x08] = "KeyrExportCert", + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b",0x09] = "KeyrImportCert", + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b",0x0a] = "KeyrEnumerateAvailableCertTypes", + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b",0x0b] = "KeyrEnumerateCAs", + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b",0x0c] = "KeyrEnroll_V2", + ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b",0x0d] = "KeyrQueryRequestStatus", + + # IKeySvc2 + ["68b58241-c259-4f03-a2e5-a2651dcbc930",0x00] = "KSrSubmitRequest", + ["68b58241-c259-4f03-a2e5-a2651dcbc930",0x01] = "KSrGetTemplates", + ["68b58241-c259-4f03-a2e5-a2651dcbc930",0x02] = "KSrGetCAs", + + # ICertProtect + ["0d72a7d4-6148-11d1-b4aa-00c04fb66ea0",0x00] = "SSCertProtectFunction", + + # ICatDBSvc + ["f50aac00-c7f3-428e-a022-a6b71bfb9d43",0x00] = "SSCatDBAddCatalog", + ["f50aac00-c7f3-428e-a022-a6b71bfb9d43",0x01] = "SSCatDBDeleteCatalog", + ["f50aac00-c7f3-428e-a022-a6b71bfb9d43",0x02] = "SSCatDBEnumCatalogs", + ["f50aac00-c7f3-428e-a022-a6b71bfb9d43",0x03] = "SSCatDBRegisterForChangeNotification", + ["f50aac00-c7f3-428e-a022-a6b71bfb9d43",0x04] = "KeyrCloseKeyService", + ["f50aac00-c7f3-428e-a022-a6b71bfb9d43",0x05] = "SSCatDBRebuildDatabase", + + # lsarpc + ["12345778-1234-abcd-ef00-0123456789ab",0x00] = "LsarClose", + ["12345778-1234-abcd-ef00-0123456789ab",0x01] = "LsarDelete", + ["12345778-1234-abcd-ef00-0123456789ab",0x02] = "LsarEnumeratePrivileges", + ["12345778-1234-abcd-ef00-0123456789ab",0x03] = "LsarQuerySecurityObject", + ["12345778-1234-abcd-ef00-0123456789ab",0x04] = "LsarSetSecurityObject", + ["12345778-1234-abcd-ef00-0123456789ab",0x05] = "LsarChangePassword", + ["12345778-1234-abcd-ef00-0123456789ab",0x06] = "LsarOpenPolicy", + ["12345778-1234-abcd-ef00-0123456789ab",0x07] = "LsarQueryInformationPolicy", + ["12345778-1234-abcd-ef00-0123456789ab",0x08] = "LsarSetInformationPolicy", + ["12345778-1234-abcd-ef00-0123456789ab",0x09] = "LsarClearAuditLog", + ["12345778-1234-abcd-ef00-0123456789ab",0x0a] = "LsarCreateAccount", + ["12345778-1234-abcd-ef00-0123456789ab",0x0b] = "LsarEnumerateAccounts", + ["12345778-1234-abcd-ef00-0123456789ab",0x0c] = "LsarCreateTrustedDomain", + ["12345778-1234-abcd-ef00-0123456789ab",0x0d] = "LsarEnumerateTrustedDomains", + ["12345778-1234-abcd-ef00-0123456789ab",0x0e] = "LsarLookupNames", + ["12345778-1234-abcd-ef00-0123456789ab",0x0f] = "LsarLookupSids", + ["12345778-1234-abcd-ef00-0123456789ab",0x10] = "LsarCreateSecret", + ["12345778-1234-abcd-ef00-0123456789ab",0x11] = "LsarOpenAccount", + ["12345778-1234-abcd-ef00-0123456789ab",0x12] = "LsarEnumeratePrivilegesAccount", + ["12345778-1234-abcd-ef00-0123456789ab",0x13] = "LsarAddPrivilegesToAccount", + ["12345778-1234-abcd-ef00-0123456789ab",0x14] = "LsarRemovePrivilegesFromAccount", + ["12345778-1234-abcd-ef00-0123456789ab",0x15] = "LsarGetQuotasForAccount", + ["12345778-1234-abcd-ef00-0123456789ab",0x16] = "LsarSetQuotasForAccount", + ["12345778-1234-abcd-ef00-0123456789ab",0x17] = "LsarGetSystemAccessAccount", + ["12345778-1234-abcd-ef00-0123456789ab",0x18] = "LsarSetSystemAccessAccount", + ["12345778-1234-abcd-ef00-0123456789ab",0x19] = "LsarOpenTrustedDomain", + ["12345778-1234-abcd-ef00-0123456789ab",0x1a] = "LsarQueryInfoTrustedDomain", + ["12345778-1234-abcd-ef00-0123456789ab",0x1b] = "LsarSetInformationTrustedDomain", + ["12345778-1234-abcd-ef00-0123456789ab",0x1c] = "LsarOpenSecret", + ["12345778-1234-abcd-ef00-0123456789ab",0x1d] = "LsarSetSecret", + ["12345778-1234-abcd-ef00-0123456789ab",0x1e] = "LsarQuerySecret", + ["12345778-1234-abcd-ef00-0123456789ab",0x1f] = "LsarLookupPrivilegeValue", + ["12345778-1234-abcd-ef00-0123456789ab",0x20] = "LsarLookupPrivilegeName", + ["12345778-1234-abcd-ef00-0123456789ab",0x21] = "LsarLookupPrivilegeDisplayName", + ["12345778-1234-abcd-ef00-0123456789ab",0x22] = "LsarDeleteObject", + ["12345778-1234-abcd-ef00-0123456789ab",0x23] = "LsarEnumerateAccountsWithUserRight", + ["12345778-1234-abcd-ef00-0123456789ab",0x24] = "LsarEnumerateAccountRights", + ["12345778-1234-abcd-ef00-0123456789ab",0x25] = "LsarAddAccountRights", + ["12345778-1234-abcd-ef00-0123456789ab",0x26] = "LsarRemoveAccountRights", + ["12345778-1234-abcd-ef00-0123456789ab",0x27] = "LsarQueryTrustedDomainInfo", + ["12345778-1234-abcd-ef00-0123456789ab",0x28] = "LsarSetTrustedDomainInfo", + ["12345778-1234-abcd-ef00-0123456789ab",0x29] = "LsarDeleteTrustedDomain", + ["12345778-1234-abcd-ef00-0123456789ab",0x2a] = "LsarStorePrivateData", + ["12345778-1234-abcd-ef00-0123456789ab",0x2b] = "LsarRetrievePrivateData", + ["12345778-1234-abcd-ef00-0123456789ab",0x2c] = "LsarOpenPolicy2", + ["12345778-1234-abcd-ef00-0123456789ab",0x2d] = "LsarGetUserName", + ["12345778-1234-abcd-ef00-0123456789ab",0x2e] = "LsarQueryInformationPolicy2", + ["12345778-1234-abcd-ef00-0123456789ab",0x2f] = "LsarSetInformationPolicy2", + ["12345778-1234-abcd-ef00-0123456789ab",0x30] = "LsarQueryTrustedDomainInfoByName", + ["12345778-1234-abcd-ef00-0123456789ab",0x31] = "LsarSetTrustedDomainInfoByName", + ["12345778-1234-abcd-ef00-0123456789ab",0x32] = "LsarEnumerateTrustedDomainsEx", + ["12345778-1234-abcd-ef00-0123456789ab",0x33] = "LsarCreateTrustedDomainEx", + ["12345778-1234-abcd-ef00-0123456789ab",0x34] = "LsarCloseTrustedDomainEx", + ["12345778-1234-abcd-ef00-0123456789ab",0x35] = "LsarQueryDomainInformationPolicy", + ["12345778-1234-abcd-ef00-0123456789ab",0x36] = "LsarSetDomainInformationPolicy", + ["12345778-1234-abcd-ef00-0123456789ab",0x37] = "LsarOpenTrustedDomainByName", + ["12345778-1234-abcd-ef00-0123456789ab",0x38] = "LsarTestCall", + ["12345778-1234-abcd-ef00-0123456789ab",0x39] = "LsarLookupSids2", + ["12345778-1234-abcd-ef00-0123456789ab",0x3a] = "LsarLookupNames2", + ["12345778-1234-abcd-ef00-0123456789ab",0x3b] = "LsarCreateTrustedDomainEx2", + ["12345778-1234-abcd-ef00-0123456789ab",0x3c] = "CredrWrite", + ["12345778-1234-abcd-ef00-0123456789ab",0x3d] = "CredrRead", + ["12345778-1234-abcd-ef00-0123456789ab",0x3e] = "CredrEnumerate", + ["12345778-1234-abcd-ef00-0123456789ab",0x3f] = "CredrWriteDomainCredentials", + ["12345778-1234-abcd-ef00-0123456789ab",0x40] = "CredrReadDomainCredentials", + ["12345778-1234-abcd-ef00-0123456789ab",0x41] = "CredrDelete", + ["12345778-1234-abcd-ef00-0123456789ab",0x42] = "CredrGetTargetInfo", + ["12345778-1234-abcd-ef00-0123456789ab",0x43] = "CredrProfileLoaded", + ["12345778-1234-abcd-ef00-0123456789ab",0x44] = "LsarLookupNames3", + ["12345778-1234-abcd-ef00-0123456789ab",0x45] = "CredrGetSessionTypes", + ["12345778-1234-abcd-ef00-0123456789ab",0x46] = "LsarRegisterAuditEvent", + ["12345778-1234-abcd-ef00-0123456789ab",0x47] = "LsarGenAuditEvent", + ["12345778-1234-abcd-ef00-0123456789ab",0x48] = "LsarUnregisterAuditEvent", + ["12345778-1234-abcd-ef00-0123456789ab",0x49] = "LsarQueryForestTrustInformation", + ["12345778-1234-abcd-ef00-0123456789ab",0x4a] = "LsarSetForestTrustInformation", + ["12345778-1234-abcd-ef00-0123456789ab",0x4b] = "CredrRename", + ["12345778-1234-abcd-ef00-0123456789ab",0x4c] = "LsarLookupSids3", + ["12345778-1234-abcd-ef00-0123456789ab",0x4d] = "LsarLookupNames4", + ["12345778-1234-abcd-ef00-0123456789ab",0x4e] = "LsarOpenPolicySce", + ["12345778-1234-abcd-ef00-0123456789ab",0x4f] = "LsarAdtRegisterSecurityEventSource", + ["12345778-1234-abcd-ef00-0123456789ab",0x50] = "LsarAdtUnregisterSecurityEventSource", + ["12345778-1234-abcd-ef00-0123456789ab",0x51] = "LsarAdtReportSecurityEvent", + ["12345778-1234-abcd-ef00-0123456789ab",0x52] = "CredrFindBestCredential", + ["12345778-1234-abcd-ef00-0123456789ab",0x53] = "LsarSetAuditPolicy", + ["12345778-1234-abcd-ef00-0123456789ab",0x54] = "LsarQueryAuditPolicy", + ["12345778-1234-abcd-ef00-0123456789ab",0x55] = "LsarEnumerateAuditPolicy", + ["12345778-1234-abcd-ef00-0123456789ab",0x56] = "LsarEnumerateAuditCategories", + ["12345778-1234-abcd-ef00-0123456789ab",0x57] = "LsarEnumerateAuditSubCategories", + ["12345778-1234-abcd-ef00-0123456789ab",0x58] = "LsarLookupAuditCategoryName", + ["12345778-1234-abcd-ef00-0123456789ab",0x59] = "LsarLookupAuditSubCategoryName", + ["12345778-1234-abcd-ef00-0123456789ab",0x5a] = "LsarSetAuditSecurity", + ["12345778-1234-abcd-ef00-0123456789ab",0x5b] = "LsarQueryAuditSecurity", + ["12345778-1234-abcd-ef00-0123456789ab",0x5c] = "CredReadByTokenHandle", + ["12345778-1234-abcd-ef00-0123456789ab",0x5d] = "CredrRestoreCredentials", + ["12345778-1234-abcd-ef00-0123456789ab",0x5e] = "CredrBackupCredentials", + + # msgsvc + ["17fdd703-1827-4e34-79d4-24a55c53bb37",0x00] = "NetrMessageNameAdd", + ["17fdd703-1827-4e34-79d4-24a55c53bb37",0x01] = "NetrMessageNameEnum", + ["17fdd703-1827-4e34-79d4-24a55c53bb37",0x02] = "NetrMessageNameGetInfo", + ["17fdd703-1827-4e34-79d4-24a55c53bb37",0x03] = "NetrMessageNameDel", + + # msgsvcsend + ["5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc",0x00] = "NetrSendMessage", + + # pnp + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x00] = "PNP_Disconnect", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x01] = "PNP_Connect", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x02] = "PNP_GetVersion", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x03] = "PNP_GetGlobalState", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x04] = "PNP_InitDetection", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x05] = "PNP_ReportLogOn", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x06] = "PNP_ValidateDeviceInstance", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x07] = "PNP_GetRootDeviceInstance", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x08] = "PNP_GetRelatedDeviceInstance", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x09] = "PNP_EnumerateSubKeys", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x0a] = "PNP_GetDeviceList", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x0b] = "PNP_GetDeviceListSize", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x0c] = "PNP_GetDepth", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x0d] = "PNP_GetDeviceRegProp", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x0e] = "PNP_SetDeviceRegProp", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x0f] = "PNP_GetClassInstance", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x10] = "PNP_CreateKey", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x11] = "PNP_DeleteRegistryKey", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x12] = "PNP_GetClassCount", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x13] = "PNP_GetClassName", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x14] = "PNP_DeleteClassKey", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x15] = "PNP_GetInterfaceDeviceAlias", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x16] = "PNP_GetInterfaceDeviceList", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x17] = "PNP_GetInterfaceDeviceListSize", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x18] = "PNP_RegisterDeviceClassAssociation", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x19] = "PNP_UnregisterDeviceClassAssociation", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x1a] = "PNP_GetClassRegProp", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x1b] = "PNP_SetClassRegProp", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x1c] = "PNP_CreateDevInst", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x1d] = "PNP_DeviceInstanceAction", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x1e] = "PNP_GetDeviceStatus", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x1f] = "PNP_SetDeviceProblem", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x20] = "PNP_DisableDevInst", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x21] = "PNP_UninstallDevInst", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x22] = "PNP_AddID", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x23] = "PNP_RegisterDriver", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x24] = "PNP_QueryRemove", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x25] = "PNP_RequestDeviceEject", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x26] = "PNP_IsDockStationPresent", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x27] = "PNP_RequestEjectPC", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x28] = "PNP_HwProfFlags", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x29] = "PNP_GetHwProfInfo", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x2a] = "PNP_AddEmptyLogConf", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x2b] = "PNP_FreeLogConf", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x2c] = "PNP_GetFirstLogConf", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x2d] = "PNP_GetNextLogConf", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x2e] = "PNP_GetLogConfPriority", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x2f] = "PNP_AddResDes", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x30] = "PNP_FreeResDes", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x31] = "PNP_GetNextResDes", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x32] = "PNP_GetResDesData", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x33] = "PNP_GetResDesDataSize", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x34] = "PNP_ModifyResDes", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x35] = "PNP_DetectResourceConflict", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x36] = "PNP_QueryResConfList", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x37] = "PNP_SetHwProf", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x38] = "PNP_QueryArbitratorFreeData", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x39] = "PNP_QueryArbitratorFreeSize", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x3a] = "PNP_RunDetection", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x3b] = "PNP_RegisterNotification", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x3c] = "PNP_UnregisterNotification", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x3d] = "PNP_GetCustomDevProp", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x3e] = "PNP_GetVersionInternal", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x3f] = "PNP_GetBlockedDriverInfo", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x40] = "PNP_GetServerSideDeviceInstallFlags", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x41] = "PNP_GetObjectPropKeys", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x42] = "PNP_GetObjectProp", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x43] = "PNP_SetObjectProp", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x44] = "PNP_InstallDevInst", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x45] = "PNP_ApplyPowerSettings", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x46] = "PNP_DriverStoreAddDriverPackage", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x47] = "PNP_DriverStoreDeleteDriverPackage", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x48] = "PNP_RegisterServiceNotification", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x49] = "PNP_SetActiveService", + ["8d9f4e40-a03d-11ce-8f69-08003e30051b",0x4a] = "PNP_DeleteServiceDevices", + + # DnsServer + ["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x00] = "DnssrvOperation", + ["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x01] = "DnssrvQuery", + ["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x02] = "DnssrvComplexOperation", + ["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x03] = "DnssrvEnumRecords", + ["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x04] = "DnssrvUpdateRecord", + ["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x05] = "DnssrvOperation2", + ["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x06] = "DnssrvQuery2", + ["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x07] = "DnssrvComplexOperation2", + ["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x08] = "DnssrvEnumRecords2", + ["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x09] = "DnssrvUpdateRecord2", + + # lls_license + ["57674cd0-5200-11ce-a897-08002b2e9c6d",0x00] = "LlsrLicenseRequestW", + ["57674cd0-5200-11ce-a897-08002b2e9c6d",0x01] = "LlsrLicenseFree", + + # llsrpc + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x00] = "LlsrConnect", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x01] = "LlsrClose", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x02] = "LlsrLicenseEnumW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x03] = "LlsrLicenseEnumA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x04] = "LlsrLicenseAddW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x05] = "LlsrLicenseAddA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x06] = "LlsrProductEnumW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x07] = "LlsrProductEnumA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x08] = "LlsrProductAddW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x09] = "LlsrProductAddA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x0a] = "LlsrProductUserEnumW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x0b] = "LlsrProductUserEnumA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x0c] = "LlsrProductServerEnumW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x0d] = "LlsrProductServerEnumA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x0e] = "LlsrProductLicenseEnumW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x0f] = "LlsrProductLicenseEnumA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x10] = "LlsrUserEnumW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x11] = "LlsrUserEnumA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x12] = "LlsrUserInfoGetW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x13] = "LlsrUserInfoGetA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x14] = "LlsrUserInfoSetW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x15] = "LlsrUserInfoSetA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x16] = "LlsrUserDeleteW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x17] = "LlsrUserDeleteA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x18] = "LlsrUserProductEnumW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x19] = "LlsrUserProductEnumA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x1a] = "LlsrUserProductDeleteW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x1b] = "LlsrUserProductDeleteA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x1c] = "LlsrMappingEnumW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x1d] = "LlsrMappingEnumA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x1e] = "LlsrMappingInfoGetW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x1f] = "LlsrMappingInfoGetA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x20] = "LlsrMappingInfoSetW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x21] = "LlsrMappingInfoSetA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x22] = "LlsrMappingUserEnumW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x23] = "LlsrMappingUserEnumA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x24] = "LlsrMappingUserAddW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x25] = "LlsrMappingUserAddA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x26] = "LlsrMappingUserDeleteW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x27] = "LlsrMappingUserDeleteA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x28] = "LlsrMappingAddW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x29] = "LlsrMappingAddA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x2a] = "LlsrMappingDeleteW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x2b] = "LlsrMappingDeleteA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x2c] = "LlsrServerEnumW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x2d] = "LlsrServerEnumA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x2e] = "LlsrServerProductEnumW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x2f] = "LlsrServerProductEnumA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x30] = "LlsrLocalProductEnumW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x31] = "LlsrLocalProductEnumA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x32] = "LlsrLocalProductInfoGetW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x33] = "LlsrLocalProductInfoGetA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x34] = "LlsrLocalProductInfoSetW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x35] = "LlsrLocalProductInfoSetA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x36] = "LlsrServiceInfoGetW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x37] = "LlsrServiceInfoGetA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x38] = "LlsrServiceInfoSetW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x39] = "LlsrServiceInfoSetA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x3a] = "LlsrReplConnect", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x3b] = "LlsrReplClose", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x3c] = "LlsrReplicationRequestW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x3d] = "LlsrReplicationServerAddW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x3e] = "LlsrReplicationServerServiceAddW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x3f] = "LlsrReplicationServiceAddW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x40] = "LlsrReplicationUserAddW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x41] = "LlsrProductSecurityGetW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x42] = "LlsrProductSecurityGetA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x43] = "LlsrProductSecuritySetW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x44] = "LlsrProductSecuritySetA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x45] = "LlsrProductLicensesGetA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x46] = "LlsrProductLicensesGetW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x47] = "LlsrCertificateClaimEnumA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x48] = "LlsrCertificateClaimEnumW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x49] = "LlsrCertificateClaimAddCheckA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x4a] = "LlsrCertificateClaimAddCheckW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x4b] = "LlsrCertificateClaimAddA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x4c] = "LlsrCertificateClaimAddW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x4d] = "LlsrReplicationCertDbAddW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x4e] = "LlsrReplicationProductSecurityAddW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x4f] = "LlsrReplicationUserAddExW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x50] = "LlsrCapabilityGet", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x51] = "LlsrLocalServiceEnumW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x52] = "LlsrLocalServiceEnumA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x53] = "LlsrLocalServiceAddA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x54] = "LlsrLocalServiceAddW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x55] = "LlsrLocalServiceInfoSetW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x56] = "LlsrLocalServiceInfoSetA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x57] = "LlsrLocalServiceInfoGetW", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x58] = "LlsrLocalServiceInfoGetA", + ["342cfd40-3c6c-11ce-a893-08002b2e9c6d",0x59] = "LlsrCloseEx", + + # ICertPassage + ["91ae6020-9e3c-11cf-8d7c-00aa00c091be",0x00] = "CertServerRequest", + + # netdfs + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x00] = "NetrDfsManagerGetVersion", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x01] = "NetrDfsAdd", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x02] = "NetrDfsRemove", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x03] = "NetrDfsSetInfo", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x04] = "NetrDfsGetInfo", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x05] = "NetrDfsEnum", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x06] = "NetrDfsRename", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x07] = "NetrDfsMove", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x08] = "NetrDfsManagerGetConfigInfo", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x09] = "NetrDfsManagerSendSiteInfo", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x0a] = "NetrDfsAddFtRoot", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x0b] = "NetrDfsRemoveFtRoot", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x0c] = "NetrDfsAddStdRoot", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x0d] = "NetrDfsRemoveStdRoot", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x0e] = "NetrDfsManagerInitialize", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x0f] = "NetrDfsAddStdRootForced", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x10] = "NetrDfsGetDcAddress", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x11] = "NetrDfsSetDcAddress", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x12] = "NetrDfsFlushFtTable", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x13] = "NetrDfsAdd2", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x14] = "NetrDfsRemove2", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x15] = "NetrDfsEnumEx", + ["4fc742e0-4a10-11cf-8273-00aa004ae673",0x16] = "NetrDfsSetInfo2", + + # sfcapi + ["83da7c00-e84f-11d2-9807-00c04f8ec850",0x00] = "SfcSrv_GetNextProtectedFile", + ["83da7c00-e84f-11d2-9807-00c04f8ec850",0x01] = "SfcSrv_IsFileProtected", + ["83da7c00-e84f-11d2-9807-00c04f8ec850",0x02] = "SfcSrv_FileException", + ["83da7c00-e84f-11d2-9807-00c04f8ec850",0x03] = "SfcSrv_InitiateScan", + ["83da7c00-e84f-11d2-9807-00c04f8ec850",0x04] = "SfcSrv_PurgeCache", + ["83da7c00-e84f-11d2-9807-00c04f8ec850",0x05] = "SfcSrv_SetCacheSize", + ["83da7c00-e84f-11d2-9807-00c04f8ec850",0x06] = "SfcSrv_SetDisable", + ["83da7c00-e84f-11d2-9807-00c04f8ec850",0x07] = "SfcSrv_InstallProtectedFiles", + + # nddeapi + ["2f5f3220-c126-1076-b549-074d078619da",0x00] = "NDdeShareAddW", + ["2f5f3220-c126-1076-b549-074d078619da",0x01] = "NDdeShareDelA", + ["2f5f3220-c126-1076-b549-074d078619da",0x02] = "NDdeShareDelW", + ["2f5f3220-c126-1076-b549-074d078619da",0x03] = "NDdeGetShareSecurityA", + ["2f5f3220-c126-1076-b549-074d078619da",0x04] = "NDdeGetShareSecurityW", + ["2f5f3220-c126-1076-b549-074d078619da",0x05] = "NDdeSetShareSecurityA", + ["2f5f3220-c126-1076-b549-074d078619da",0x06] = "NDdeSetShareSecurityW", + ["2f5f3220-c126-1076-b549-074d078619da",0x07] = "NDdeShareEnumA", + ["2f5f3220-c126-1076-b549-074d078619da",0x08] = "NDdeShareEnumW", + ["2f5f3220-c126-1076-b549-074d078619da",0x09] = "NDdeShareGetInfoW", + ["2f5f3220-c126-1076-b549-074d078619da",0x0a] = "NDdeShareSetInfoW", + ["2f5f3220-c126-1076-b549-074d078619da",0x0b] = "NDdeSetTrustedShareA", + ["2f5f3220-c126-1076-b549-074d078619da",0x0c] = "NDdeSetTrustedShareW", + ["2f5f3220-c126-1076-b549-074d078619da",0x0d] = "NDdeGetTrustedShareA", + ["2f5f3220-c126-1076-b549-074d078619da",0x0e] = "NDdeGetTrustedShareW", + ["2f5f3220-c126-1076-b549-074d078619da",0x0f] = "NDdeTrustedShareEnumA", + ["2f5f3220-c126-1076-b549-074d078619da",0x10] = "NDdeTrustedShareEnumW", + ["2f5f3220-c126-1076-b549-074d078619da",0x12] = "NDdeSpecialCommand", + + ["3dde7c30-165d-11d1-ab8f-00805f14db40",0x00] = "bkrp_BackupKey", + } &redef &default=function(uuid: string, i: count): string { return fmt("unknown-%d", i); }; +} diff --git a/scripts/base/protocols/dce-rpc/dpd.sig b/scripts/base/protocols/dce-rpc/dpd.sig new file mode 100644 index 0000000000..2894af805b --- /dev/null +++ b/scripts/base/protocols/dce-rpc/dpd.sig @@ -0,0 +1,6 @@ + +signature dpd_dce_rpc { + ip-proto == tcp + payload /^\x05[\x00\x01][\x00-\x13]\x03/ + enable "DCE_RPC" +} \ No newline at end of file diff --git a/scripts/base/protocols/dce-rpc/main.bro b/scripts/base/protocols/dce-rpc/main.bro new file mode 100644 index 0000000000..565b208db0 --- /dev/null +++ b/scripts/base/protocols/dce-rpc/main.bro @@ -0,0 +1,109 @@ +@load ./consts + +module DCE_RPC; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ## Timestamp for when the event happened. + ts : time &log; + ## Unique ID for the connection. + uid : string &log; + ## The connection's 4-tuple of endpoint addresses/ports. + id : conn_id &log; + ## Round trip time from the request to the response. + ## If either the request or response wasn't seen, + ## this will be null. + rtt : interval &log &optional; + + ## Remote pipe name. + named_pipe : string &log &optional; + ## Endpoint name looked up from the uuid. + endpoint : string &log &optional; + ## Operation seen in the call. + operation : string &log &optional; + }; + + ## Set of interface UUID values to ignore. + const ignored_uuids = set("e1af8308-5d1f-11c9-91a4-08002b14a0fa") &redef; +} + +redef record Info += { + uuid: string &optional; +}; + +redef record connection += { + dce_rpc: Info &optional; +}; + +const ports = { 135/tcp }; +redef likely_server_ports += { ports }; + +event bro_init() &priority=5 + { + Log::create_stream(DCE_RPC::LOG, [$columns=Info, $path="dce_rpc"]); + Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, ports); + } + +function set_session(c: connection) + { + if ( ! c?$dce_rpc ) + { + c$dce_rpc = [$ts=network_time(), + $id=c$id, + $uid=c$uid]; + } + } + +event dce_rpc_bind(c: connection, uuid: string, version: string) &priority=5 + { + set_session(c); + + local uuid_str = uuid_to_string(uuid); + if ( uuid_str in ignored_uuids ) + return; + + c$dce_rpc$uuid = uuid_str; + c$dce_rpc$endpoint = uuid_endpoint_map[uuid_str]; + } + +event dce_rpc_bind_ack(c: connection, sec_addr: string) &priority=5 + { + set_session(c); + + if ( sec_addr != "" ) + c$dce_rpc$named_pipe = sec_addr; + } + +event dce_rpc_request(c: connection, opnum: count, stub: string) &priority=5 + { + set_session(c); + + if ( c?$dce_rpc && c$dce_rpc?$endpoint ) + { + + } + } + +event dce_rpc_response(c: connection, opnum: count, stub: string) &priority=5 + { + set_session(c); + + if ( c?$dce_rpc && c$dce_rpc?$endpoint ) + { + c$dce_rpc$operation = operations[c$dce_rpc$uuid, opnum]; + if ( c$dce_rpc$ts != network_time() ) + c$dce_rpc$rtt = network_time() - c$dce_rpc$ts; + + Log::write(LOG, c$dce_rpc); + } + } + +event connection_state_remove(c: connection) + { + if ( ! c?$dce_rpc ) + return; + + # TODO: Go through any remaining dce_rpc requests that haven't been processed with replies. + } \ No newline at end of file diff --git a/src/analyzer/protocol/dce-rpc/CMakeLists.txt b/src/analyzer/protocol/dce-rpc/CMakeLists.txt index 8ccbf094d4..bfe2b8d11c 100644 --- a/src/analyzer/protocol/dce-rpc/CMakeLists.txt +++ b/src/analyzer/protocol/dce-rpc/CMakeLists.txt @@ -5,8 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(Bro DCE_RPC) bro_plugin_cc(DCE_RPC.cc Plugin.cc) -bro_plugin_bif(events.bif) +bro_plugin_bif(types.bif events.bif) bro_plugin_pac(dce_rpc.pac dce_rpc-protocol.pac dce_rpc-analyzer.pac epmapper.pac) -bro_plugin_pac(dce_rpc_simple.pac dce_rpc-protocol.pac epmapper.pac) bro_plugin_end() diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc index 49a9647c0f..0099160d9e 100644 --- a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc +++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc @@ -9,580 +9,52 @@ using namespace std; #include "DCE_RPC.h" -#include "Sessions.h" - -#include "analyzer/Manager.h" - -#include "events.bif.h" using namespace analyzer::dce_rpc; -#define xbyte(b, n) (((const u_char*) (b))[n]) -#define extract_uint16(little_endian, bytes) \ - ((little_endian) ? \ - uint16(xbyte(bytes, 0)) | ((uint16(xbyte(bytes, 1))) << 8) : \ - uint16(xbyte(bytes, 1)) | ((uint16(xbyte(bytes, 0))) << 8)) - -static int uuid_index[] = { - 3, 2, 1, 0, - 5, 4, 7, 6, - 8, 9, 10, 11, - 12, 13, 14, 15 -}; - -const char* analyzer::dce_rpc::uuid_to_string(const u_char* uuid_data) - { - static char s[1024]; - char* sp = s; - - for ( int i = 0; i < 16; ++i ) - { - if ( i == 4 || i == 6 || i == 8 || i == 10 ) - sp += snprintf(sp, s + sizeof(s) - sp, "-"); - - int j = uuid_index[i]; - sp += snprintf(sp, s + sizeof(s) - sp, "%02x", uuid_data[j]); - } - - return s; - } - -UUID::UUID() - { - memset(data, 0, 16); - s = uuid_to_string(data); - } - -UUID::UUID(const u_char d[16]) - { - memcpy(data, d, 16); - s = uuid_to_string(data); - } - -UUID::UUID(const binpac::bytestring& uuid) - { - if ( uuid.length() != 16 ) - reporter->InternalError("UUID length error"); - memcpy(data, uuid.begin(), 16); - s = uuid_to_string(data); - } - -UUID::UUID(const char* str) - { - s = string(str); - const char* sp = str; - int i; - for ( i = 0; i < 16; ++i ) - { - if ( *sp == '-' ) - ++sp; - if ( ! *sp || ! *(sp+1) ) - break; - - data[uuid_index[i]] = - (u_char) (decode_hex(*sp) * 16 + decode_hex(*(sp+1))); - } - - if ( i != 16 ) - reporter->InternalError("invalid UUID string: %s", str); - } - -typedef map uuid_map_t; - -static uuid_map_t& well_known_uuid_map() - { - static uuid_map_t the_map; - static bool initialized = false; - - if ( initialized ) - return the_map; - - using namespace BifEnum; - - the_map[UUID("e1af8308-5d1f-11c9-91a4-08002b14a0fa")] = DCE_RPC_epmapper; - - the_map[UUID("afa8bd80-7d8a-11c9-bef4-08002b102989")] = DCE_RPC_mgmt; - - // It's said that the following interfaces are merely aliases. - the_map[UUID("12345778-1234-abcd-ef00-0123456789ab")] = DCE_RPC_lsarpc; - the_map[UUID("12345678-1234-abcd-ef00-01234567cffb")] = DCE_RPC_netlogon; - the_map[UUID("12345778-1234-abcd-ef00-0123456789ac")] = DCE_RPC_samr; - - // The next group of aliases. - the_map[UUID("4b324fc8-1670-01d3-1278-5a47bf6ee188")] = DCE_RPC_srvsvc; - the_map[UUID("12345678-1234-abcd-ef00-0123456789ab")] = DCE_RPC_spoolss; - the_map[UUID("45f52c28-7f9f-101a-b52b-08002b2efabe")] = DCE_RPC_winspipe; - the_map[UUID("6bffd098-a112-3610-9833-46c3f87e345a")] = DCE_RPC_wkssvc; - - // DRS - NT directory replication service. - the_map[UUID("e3514235-4b06-11d1-ab04-00c04fc2dcd2")] = DCE_RPC_drs; - - // "The IOXIDResolver RPC interface (formerly known as - // IObjectExporter) is remotely used to reach the local object - // resolver (OR)." - the_map[UUID("99fcfec4-5260-101b-bbcb-00aa0021347a")] = DCE_RPC_oxid; - - the_map[UUID("3919286a-b10c-11d0-9ba8-00c04fd92ef5")] = DCE_RPC_lsa_ds; - - the_map[UUID("000001a0-0000-0000-c000-000000000046")] = DCE_RPC_ISCMActivator; - - initialized = true; - return the_map; - } - -// Used to remember mapped DCE/RPC endpoints and parse the follow-up -// connections as DCE/RPC sessions. -map dce_rpc_endpoints; - -static bool is_mapped_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr) - { - return dce_rpc_endpoints.find(addr) != dce_rpc_endpoints.end(); - } - -bool is_mapped_dce_rpc_endpoint(const ConnID* id, TransportProto proto) - { - if ( id->dst_addr.GetFamily() == IPv6 ) - // TODO: Does the protocol support v6 addresses? #773 - return false; - - dce_rpc_endpoint_addr addr; - addr.addr = id->dst_addr; - addr.port = ntohs(id->dst_port); - addr.proto = proto; - - return is_mapped_dce_rpc_endpoint(addr); - } - -static void add_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr, - const UUID& uuid) - { - DEBUG_MSG("Adding endpoint %s @ %s\n", - uuid.to_string(), addr.to_string().c_str()); - dce_rpc_endpoints[addr] = uuid; - - // FIXME: Once we can pass the cookie to the analyzer, we can get rid - // of the dce_rpc_endpoints table. - // FIXME: Don't hard-code the timeout. - - analyzer_mgr->ScheduleAnalyzer(IPAddr(), addr.addr, addr.port, addr.proto, - "DCE_RPC", 5 * 60); - } - -DCE_RPC_Header::DCE_RPC_Header(analyzer::Analyzer* a, const u_char* b) - { - analyzer = a; - bytes = b; - - // This checks whether it's both the first fragment *and* - // the last fragment. - if ( (bytes[3] & 0x3) != 0x3 ) - { - fragmented = 1; - Weird("Fragmented DCE/RPC message"); - } - else - fragmented = 0; - - ptype = (BifEnum::dce_rpc_ptype) bytes[2]; - frag_len = extract_uint16(LittleEndian(), bytes + 8); - } - -DCE_RPC_Session::DCE_RPC_Session(analyzer::Analyzer* a) -: analyzer(a), - uuid("00000000-0000-0000-0000-000000000000"), - if_id(BifEnum::DCE_RPC_unknown_if) - { - opnum = -1; - } - -bool DCE_RPC_Session::LooksLikeRPC(int len, const u_char* msg) - { - // if ( ! is_IPC ) - // return false; - - try - { - binpac::DCE_RPC::DCE_RPC_Header h; - h.Parse(msg, msg + len); - if ( h.rpc_vers() == 5 && h.rpc_vers_minor() == 0 ) - { - if ( h.frag_length() == len ) - return true; - else - { - DEBUG_MSG("length mismatch: %d != %d\n", - h.frag_length(), len); - return false; - } - } - } - catch ( const binpac::Exception& ) - { - // do nothing - } - - return false; - } - -void DCE_RPC_Session::DeliverPDU(int is_orig, int len, const u_char* data) - { - if ( dce_rpc_message ) - { - val_list* vl = new val_list; - vl->append(analyzer->BuildConnVal()); - vl->append(new Val(is_orig, TYPE_BOOL)); - vl->append(new EnumVal(data[2], BifType::Enum::dce_rpc_ptype)); - vl->append(new StringVal(len, (const char*) data)); - - analyzer->ConnectionEvent(dce_rpc_message, vl); - } - - try - { - // TODO: handle incremental input - binpac::DCE_RPC::DCE_RPC_PDU pdu; - pdu.Parse(data, data + len); - - switch ( pdu.header()->PTYPE() ) { - case binpac::DCE_RPC::DCE_RPC_BIND: - case binpac::DCE_RPC::DCE_RPC_ALTER_CONTEXT: - DeliverBind(&pdu); - break; - - case binpac::DCE_RPC::DCE_RPC_REQUEST: - DeliverRequest(&pdu); - break; - - case binpac::DCE_RPC::DCE_RPC_RESPONSE: - DeliverResponse(&pdu); - break; - } - } - catch ( const binpac::Exception& e ) - { - analyzer->Weird(e.msg().c_str()); - } - } - -void DCE_RPC_Session::DeliverBind(const binpac::DCE_RPC::DCE_RPC_PDU* pdu) - { - binpac::DCE_RPC::DCE_RPC_Bind* bind = pdu->body()->bind(); - - for ( int i = 0; i < bind->context_list()->num_contexts(); ++i ) - { - binpac::DCE_RPC::ContextRequest* elem = - (*bind->context_list()->request_contexts())[i]; - - uuid = UUID(elem->abstract_syntax()->uuid().begin()); - uuid_map_t::const_iterator uuid_it = - well_known_uuid_map().find(uuid); - - if ( uuid_it == well_known_uuid_map().end() ) - { -#ifdef DEBUG - // conn->Weird(fmt("Unknown DCE_RPC interface %s", - // uuid.to_string())); -#endif - if_id = BifEnum::DCE_RPC_unknown_if; - } - else - if_id = uuid_it->second; - - if ( dce_rpc_bind ) - { - val_list* vl = new val_list; - vl->append(analyzer->BuildConnVal()); - vl->append(new StringVal(uuid.to_string())); - // vl->append(new EnumVal(if_id, BifType::Enum::dce_rpc_if_id)); - - analyzer->ConnectionEvent(dce_rpc_bind, vl); - } - } - } - -void DCE_RPC_Session::DeliverRequest(const binpac::DCE_RPC::DCE_RPC_PDU* pdu) - { - binpac::DCE_RPC::DCE_RPC_Request* req = pdu->body()->request(); - - opnum = req->opnum(); - - if ( dce_rpc_request ) - { - val_list* vl = new val_list; - vl->append(analyzer->BuildConnVal()); - vl->append(new Val(opnum, TYPE_COUNT)); - vl->append(new StringVal(req->stub().length(), - (const char*) req->stub().begin())); - - analyzer->ConnectionEvent(dce_rpc_request, vl); - } - - switch ( if_id ) { - case BifEnum::DCE_RPC_epmapper: - DeliverEpmapperRequest(pdu, req); - break; - - default: - break; - } - } - -void DCE_RPC_Session::DeliverResponse(const binpac::DCE_RPC::DCE_RPC_PDU* pdu) - { - binpac::DCE_RPC::DCE_RPC_Response* resp = pdu->body()->response(); - - if ( dce_rpc_response ) - { - val_list* vl = new val_list; - vl->append(analyzer->BuildConnVal()); - vl->append(new Val(opnum, TYPE_COUNT)); - vl->append(new StringVal(resp->stub().length(), - (const char*) resp->stub().begin())); - analyzer->ConnectionEvent(dce_rpc_response, vl); - } - - switch ( if_id ) { - case BifEnum::DCE_RPC_epmapper: - DeliverEpmapperResponse(pdu, resp); - break; - - default: - break; - } - } - -void DCE_RPC_Session::DeliverEpmapperRequest( - const binpac::DCE_RPC::DCE_RPC_PDU* /* pdu */, - const binpac::DCE_RPC::DCE_RPC_Request* /* req */) - { - // DEBUG_MSG("Epmapper request opnum = %d\n", req->opnum()); - // ### TODO(rpang): generate an event on epmapper request - } - -void DCE_RPC_Session::DeliverEpmapperResponse( - const binpac::DCE_RPC::DCE_RPC_PDU* pdu, - const binpac::DCE_RPC::DCE_RPC_Response* resp) - { - // DEBUG_MSG("Epmapper request opnum = %d\n", req->opnum()); - switch ( opnum ) { - case 3: // Map - DeliverEpmapperMapResponse(pdu, resp); - break; - } - } - - -void DCE_RPC_Session::DeliverEpmapperMapResponse( - const binpac::DCE_RPC::DCE_RPC_PDU* pdu, - const binpac::DCE_RPC::DCE_RPC_Response* resp) - { - try - { - binpac::DCE_RPC::epmapper_map_resp epm_resp; - - epm_resp.Parse(resp->stub().begin(), resp->stub().end(), - pdu->byteorder()); - - for ( unsigned int twr_i = 0; - twr_i < epm_resp.towers()->actual_count(); ++twr_i ) - { - binpac::DCE_RPC::epm_tower* twr = - (*epm_resp.towers()->towers())[twr_i]->tower(); - - mapped.addr = dce_rpc_endpoint_addr(); - mapped.uuid = UUID(); - - for ( int floor_i = 0; floor_i < twr->num_floors(); - ++floor_i ) - { - binpac::DCE_RPC::epm_floor* floor = - (*twr->floors())[floor_i]; - - switch ( floor->protocol() ) { - case binpac::DCE_RPC::EPM_PROTOCOL_UUID: - if ( floor_i == 0 ) - mapped.uuid = UUID(floor->lhs()->data()->uuid()->if_uuid()); - break; - - case binpac::DCE_RPC::EPM_PROTOCOL_TCP: - mapped.addr.port = - floor->rhs()->data()->tcp(); - mapped.addr.proto = TRANSPORT_TCP; - break; - - case binpac::DCE_RPC::EPM_PROTOCOL_UDP: - mapped.addr.port = - floor->rhs()->data()->udp(); - mapped.addr.proto = TRANSPORT_UDP; - break; - - case binpac::DCE_RPC::EPM_PROTOCOL_IP: - uint32 hostip = floor->rhs()->data()->ip(); - mapped.addr.addr = IPAddr(IPv4, &hostip, IPAddr::Host); - break; - } - } - - if ( mapped.addr.is_valid_addr() ) - add_dce_rpc_endpoint(mapped.addr, mapped.uuid); - - if ( epm_map_response ) - { - val_list* vl = new val_list; - vl->append(analyzer->BuildConnVal()); - vl->append(new StringVal(mapped.uuid.to_string())); - vl->append(new PortVal(mapped.addr.port, mapped.addr.proto)); - vl->append(new AddrVal(mapped.addr.addr)); - - analyzer->ConnectionEvent(epm_map_response, vl); - } - } - } - catch ( const binpac::Exception& e ) - { - analyzer->Weird(e.msg().c_str()); - } - } - -Contents_DCE_RPC_Analyzer::Contents_DCE_RPC_Analyzer(Connection* conn, - bool orig, DCE_RPC_Session* arg_session, bool speculative) -: tcp::TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig) - { - session = arg_session; - msg_buf = 0; - buf_len = 0; - speculation = speculative ? 0 : 1; - - InitState(); - } - -void Contents_DCE_RPC_Analyzer::InitState() - { - // Allocate space for header. - if ( ! msg_buf ) - { - buf_len = DCE_RPC_HEADER_LENGTH; - msg_buf = new u_char[buf_len]; - } - - buf_n = 0; - msg_len = 0; - hdr = 0; - } - -Contents_DCE_RPC_Analyzer::~Contents_DCE_RPC_Analyzer() - { - delete [] msg_buf; - delete hdr; - } - -void Contents_DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig) - { - tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); - - tcp::TCP_Analyzer* tcp = - static_cast(Parent())->TCP(); - - if ( tcp->HadGap(orig) || tcp->IsPartial() ) - return; - - if ( speculation == 0 ) // undecided - { - if ( ! DCE_RPC_Session::LooksLikeRPC(len, data) ) - speculation = -1; - else - speculation = 1; - } - - if ( speculation < 0 ) - return; - - ASSERT(buf_len >= DCE_RPC_HEADER_LENGTH); - while ( len > 0 ) - { - if ( buf_n < DCE_RPC_HEADER_LENGTH ) - { - while ( buf_n < DCE_RPC_HEADER_LENGTH && len > 0 ) - { - msg_buf[buf_n] = *data; - ++buf_n; ++data; --len; - } - - if ( buf_n < DCE_RPC_HEADER_LENGTH ) - break; - else - { - if ( ! ParseHeader() ) - return; - } - } - - while ( buf_n < msg_len && len > 0 ) - { - msg_buf[buf_n] = *data; - ++buf_n; ++data; --len; - } - - if ( buf_n < msg_len ) - break; - else - { - if ( msg_len > 0 ) - DeliverPDU(msg_len, msg_buf); - // Reset for next message - InitState(); - } - } - } - -void Contents_DCE_RPC_Analyzer::DeliverPDU(int len, const u_char* data) - { - session->DeliverPDU(IsOrig(), len, data); - } - -bool Contents_DCE_RPC_Analyzer::ParseHeader() - { - delete hdr; - hdr = 0; - - if ( msg_buf[0] != 5 ) // DCE/RPC version - { - Conn()->Weird("DCE/RPC_version_error (non-DCE/RPC?)"); - Conn()->SetSkip(1); - msg_len = 0; - return false; - } - - hdr = new DCE_RPC_Header(this, msg_buf); - - msg_len = hdr->FragLen(); - if ( msg_len > buf_len ) - { - u_char* new_msg_buf = new u_char[msg_len]; - memcpy(new_msg_buf, msg_buf, buf_n); - delete [] msg_buf; - buf_len = msg_len; - msg_buf = new_msg_buf; - hdr->SetBytes(new_msg_buf); - } - - return true; - } - -DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn, bool arg_speculative) +DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection *conn) : tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn) { - session = new DCE_RPC_Session(this); - speculative = arg_speculative; - - AddSupportAnalyzer(new Contents_DCE_RPC_Analyzer(conn, true, session, - speculative)); - AddSupportAnalyzer(new Contents_DCE_RPC_Analyzer(conn, false, session, - speculative)); + interp = new binpac::DCE_RPC::DCE_RPC_Conn(this); } DCE_RPC_Analyzer::~DCE_RPC_Analyzer() { - delete session; + delete interp; + } + +void DCE_RPC_Analyzer::Done() + { + TCP_ApplicationAnalyzer::Done(); + + interp->FlowEOF(true); + interp->FlowEOF(false); + } + +void DCE_RPC_Analyzer::EndpointEOF(bool is_orig) + { + TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + interp->FlowEOF(is_orig); + } + +void DCE_RPC_Analyzer::Undelivered(uint64 seq, int len, bool orig) + { + TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + interp->NewGap(orig, len); + } + +void DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig) + { + TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + + assert(TCP()); + try + { + interp->NewData(orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + } } diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.h b/src/analyzer/protocol/dce-rpc/DCE_RPC.h index c54638d03f..984ede8a3c 100644 --- a/src/analyzer/protocol/dce-rpc/DCE_RPC.h +++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.h @@ -35,7 +35,7 @@ protected: string s; }; -const char* uuid_to_string(const u_char* uuid_data); +//const char* uuid_to_string(const u_char* uuid_data); struct dce_rpc_endpoint_addr { // All fields are in host byteorder. @@ -88,6 +88,7 @@ enum DCE_RPC_PTYPE { }; */ +/* #define DCE_RPC_HEADER_LENGTH 16 class DCE_RPC_Header { @@ -172,18 +173,23 @@ protected: DCE_RPC_Session* session; }; +*/ class DCE_RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: - DCE_RPC_Analyzer(Connection* conn, bool speculative = false); + DCE_RPC_Analyzer(Connection* conn); ~DCE_RPC_Analyzer(); + virtual void Done(); + virtual void DeliverStream(int len, const u_char* data, bool orig); + virtual void Undelivered(uint64 seq, int len, bool orig); + virtual void EndpointEOF(bool is_orig); + static analyzer::Analyzer* Instantiate(Connection* conn) { return new DCE_RPC_Analyzer(conn); } protected: - DCE_RPC_Session* session; - bool speculative; + binpac::DCE_RPC::DCE_RPC_Conn* interp; }; } } // namespace analyzer::* diff --git a/src/analyzer/protocol/dce-rpc/Plugin.cc b/src/analyzer/protocol/dce-rpc/Plugin.cc index d855d20cc0..f4335bb045 100644 --- a/src/analyzer/protocol/dce-rpc/Plugin.cc +++ b/src/analyzer/protocol/dce-rpc/Plugin.cc @@ -13,7 +13,7 @@ public: plugin::Configuration Configure() { AddComponent(new ::analyzer::Component("DCE_RPC", ::analyzer::dce_rpc::DCE_RPC_Analyzer::Instantiate)); - AddComponent(new ::analyzer::Component("Contents_DCE_RPC", 0)); + //AddComponent(new ::analyzer::Component("Contents_DCE_RPC", 0)); plugin::Configuration config; config.name = "Bro::DCE_RPC"; diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac index a25b4b783a..9482fa8cee 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac @@ -1,135 +1,163 @@ # DCE/RPC protocol data unit. -type DCE_RPC_PDU = record { - # Set header's byteorder to little-endian (or big-endian) to - # avoid cyclic dependency. - header : DCE_RPC_Header; - # TODO: bring back reassembly. It was having trouble. - #frag : bytestring &length = body_length; - body : DCE_RPC_Body(header); - auth : DCE_RPC_Auth(header); -} &let { - #body_length : int = header.frag_length - sizeof(header) - header.auth_length; - #frag_reassembled : bool = $context.flow.reassemble_fragment(frag, header.lastfrag); - #body : DCE_RPC_Body(header) - # withinput $context.flow.reassembled_body() - # &if frag_reassembled; -} &byteorder = header.byteorder, - &length = header.frag_length; +refine connection DCE_RPC_Conn += { + %member{ + map cont_id_opnum_map; + %} + + function get_cont_id_opnum_map(cont_id: uint16): uint16 + %{ + return cont_id_opnum_map[cont_id]; + %} + + function set_cont_id_opnum_map(cont_id: uint16, opnum: uint16): bool + %{ + cont_id_opnum_map[cont_id] = opnum; + return true; + %} + + function proc_dce_rpc_pdu(pdu: DCE_RPC_PDU): bool + %{ + // If a whole pdu message parsed ok, let's confirm the protocol + bro_analyzer()->ProtocolConfirmation(); + return true; + %} + + function proc_dce_rpc_message(header: DCE_RPC_Header): bool + %{ + if ( dce_rpc_message ) + { + BifEvent::generate_dce_rpc_message(bro_analyzer(), + bro_analyzer()->Conn(), + ${header.is_orig}, + ${header.PTYPE}, + new EnumVal(${header.PTYPE}, BifType::Enum::DCE_RPC::PType)); + } + return true; + %} + + function process_dce_rpc_bind(bind: DCE_RPC_Bind): bool + %{ + + if ( dce_rpc_bind ) + { + // Go over the elements, each having a UUID + $const_def{bind_elems = bind.context_list}; + for ( int i = 0; i < ${bind_elems.num_contexts}; ++i ) + { + $const_def{uuid = bind_elems.request_contexts[i].abstract_syntax.uuid}; + $const_def{version = bind_elems.request_contexts[i].abstract_syntax.version}; + + // Queue the event + BifEvent::generate_dce_rpc_bind(bro_analyzer(), + bro_analyzer()->Conn(), + bytestring_to_val(${uuid}), + new StringVal(fmt("%d.0", ${version}))); + } + } + + return true; + %} + + function process_dce_rpc_bind_ack(bind: DCE_RPC_Bind_Ack): bool + %{ + if ( dce_rpc_bind_ack ) + { + StringVal *sec_addr; + // Remove the null from the end of the string if it's there. + if ( *(${bind.sec_addr}.begin() + ${bind.sec_addr}.length()) == 0 ) + sec_addr = new StringVal(${bind.sec_addr}.length()-1, (const char*) ${bind.sec_addr}.begin()); + else + sec_addr = new StringVal(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin()); + + BifEvent::generate_dce_rpc_bind_ack(bro_analyzer(), + bro_analyzer()->Conn(), + sec_addr); + } + return true; + %} + + function process_dce_rpc_request(req: DCE_RPC_Request): bool + %{ + if ( dce_rpc_request ) + { + BifEvent::generate_dce_rpc_request(bro_analyzer(), + bro_analyzer()->Conn(), + ${req.opnum}, + bytestring_to_val(${req.stub})); + } + + set_cont_id_opnum_map(${req.context_id}, + ${req.opnum}); + return true; + %} + + function process_dce_rpc_response(resp: DCE_RPC_Response): bool + %{ + if ( dce_rpc_response ) + { + BifEvent::generate_dce_rpc_response(bro_analyzer(), + bro_analyzer()->Conn(), + get_cont_id_opnum_map(${resp.context_id}), + bytestring_to_val(${resp.stub})); + } + + return true; + %} + +}; + + +refine flow DCE_RPC_Flow += { + #%member{ + #FlowBuffer frag_reassembler_; + #%} + + # Fragment reassembly. + #function reassemble_fragment(frag: bytestring, lastfrag: bool): bool + # %{ + # int orig_data_length = frag_reassembler_.data_length(); + # + # frag_reassembler_.NewData(frag.begin(), frag.end()); + # + # int new_frame_length = orig_data_length + frag.length(); + # if ( orig_data_length == 0 ) + # frag_reassembler_.NewFrame(new_frame_length, false); + # else + # frag_reassembler_.GrowFrame(new_frame_length); + # + # return lastfrag; + # %} + + #function reassembled_body(): const_bytestring + # %{ + # return const_bytestring( + # frag_reassembler_.begin(), + # frag_reassembler_.end()); + # %} +}; + +refine typeattr DCE_RPC_PDU += &let { + proc = $context.connection.proc_dce_rpc_pdu(this); +} + +refine typeattr DCE_RPC_Header += &let { + proc = $context.connection.proc_dce_rpc_message(this); +}; + +refine typeattr DCE_RPC_Bind += &let { + proc = $context.connection.process_dce_rpc_bind(this); +}; + +refine typeattr DCE_RPC_Bind_Ack += &let { + proc = $context.connection.process_dce_rpc_bind_ack(this); +}; + +refine typeattr DCE_RPC_Request += &let { + proc = $context.connection.process_dce_rpc_request(this); +}; + +refine typeattr DCE_RPC_Response += &let { + proc = $context.connection.process_dce_rpc_response(this); +}; -#connection DCE_RPC_Conn(bro_analyzer: BroAnalyzer) { -# upflow = DCE_RPC_Flow(true); -# downflow = DCE_RPC_Flow(false); -# -# %member{ -# map cont_id_opnum_map; -# %} -# -# function get_cont_id_opnum_map(cont_id: uint16): uint16 -# %{ -# return cont_id_opnum_map[cont_id]; -# %} -# -# function set_cont_id_opnum_map(cont_id: uint16, opnum: uint16): bool -# %{ -# cont_id_opnum_map[cont_id] = opnum; -# return true; -# %} -#}; -# -# -#flow DCE_RPC_Flow(is_orig: bool) { -# flowunit = DCE_RPC_PDU withcontext (connection, this); -# -# #%member{ -# #FlowBuffer frag_reassembler_; -# #%} -# -# # Fragment reassembly. -# #function reassemble_fragment(frag: bytestring, lastfrag: bool): bool -# # %{ -# # int orig_data_length = frag_reassembler_.data_length(); -# # -# # frag_reassembler_.NewData(frag.begin(), frag.end()); -# # -# # int new_frame_length = orig_data_length + frag.length(); -# # if ( orig_data_length == 0 ) -# # frag_reassembler_.NewFrame(new_frame_length, false); -# # else -# # frag_reassembler_.GrowFrame(new_frame_length); -# # -# # return lastfrag; -# # %} -# -# #function reassembled_body(): const_bytestring -# # %{ -# # return const_bytestring( -# # frag_reassembler_.begin(), -# # frag_reassembler_.end()); -# # %} -# -# # Bind. -# function process_dce_rpc_bind(bind: DCE_RPC_Bind): bool -# %{ -# $const_def{bind_elems = bind.context_list}; -# -# if ( ${bind_elems.num_contexts} > 1 ) -# { -# ${connection.bro_analyzer}->Weird("DCE_RPC_bind_to_multiple_interfaces"); -# } -# -# if ( dce_rpc_bind ) -# { -# // Go over the elements, each having a UUID -# for ( int i = 0; i < ${bind_elems.num_contexts}; ++i ) -# { -# $const_def{uuid = -# bind_elems.request_contexts[i].abstract_syntax.uuid}; -# -# // Queue the event -# BifEvent::generate_dce_rpc_bind( -# ${connection.bro_analyzer}, -# ${connection.bro_analyzer}->Conn(), -# bytestring_to_val(${uuid})); -# -# // Set the connection's UUID -# // ${connection}->set_uuid(${uuid}); -# } -# } -# -# return ${bind_elems.num_contexts} > 0; -# %} -# -# # Request. -# function process_dce_rpc_request(req: DCE_RPC_Request): bool -# %{ -# if ( dce_rpc_request ) -# { -# BifEvent::generate_dce_rpc_request( -# ${connection.bro_analyzer}, -# ${connection.bro_analyzer}->Conn(), -# ${req.opnum}, -# bytestring_to_val(${req.stub})); -# } -# -# ${connection}->set_cont_id_opnum_map(${req.context_id}, -# ${req.opnum}); -# -# return true; -# %} -# -# # Response. -# function process_dce_rpc_response(resp: DCE_RPC_Response): bool -# %{ -# if ( dce_rpc_response ) -# { -# BifEvent::generate_dce_rpc_response( -# ${connection.bro_analyzer}, -# ${connection.bro_analyzer}->Conn(), -# ${connection}->get_cont_id_opnum_map(${resp.context_id}), -# bytestring_to_val(${resp.stub})); -# } -# -# return true; -# %} -#}; diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac index f13311a0fa..847ca182e2 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac @@ -29,6 +29,23 @@ type context_handle = record { uuid : bytestring &length = 16; }; +type DCE_RPC_PDU(is_orig: bool) = record { + # Set header's byteorder to little-endian (or big-endian) to + # avoid cyclic dependency. + header : DCE_RPC_Header(is_orig); + # TODO: bring back reassembly. It was having trouble. + #frag : bytestring &length = body_length; + body : DCE_RPC_Body(header); + auth : DCE_RPC_Auth(header); +} &let { + #body_length : int = header.frag_length - sizeof(header) - header.auth_length; + #frag_reassembled : bool = $context.flow.reassemble_fragment(frag, header.lastfrag); + #body : DCE_RPC_Body(header) + # withinput $context.flow.reassembled_body() + # &if frag_reassembled; +} &byteorder = header.byteorder, &length = header.frag_length; + + #type rpc_if_id_t = record { # if_uuid : bytestring &length = 16; # vers_major : uint16; @@ -46,7 +63,7 @@ type NDR_Format = record { #### There might be a endianness problem here: the frag_length # causes problems despite the NDR_Format having a byteorder set. -type DCE_RPC_Header = record { +type DCE_RPC_Header(is_orig: bool) = record { rpc_vers : uint8 &check(rpc_vers == 5); rpc_vers_minor : uint8; PTYPE : uint8; diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc.pac b/src/analyzer/protocol/dce-rpc/dce_rpc.pac index 737d4d7a64..616b4e7770 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc.pac @@ -2,16 +2,26 @@ %include bro.pac %extern{ -#include "events.bif.h" + #include "types.bif.h" + #include "events.bif.h" %} -analyzer DCE_RPC withcontext {}; +analyzer DCE_RPC withcontext { + connection : DCE_RPC_Conn; + flow : DCE_RPC_Flow; +}; -#analyzer DCE_RPC withcontext { -# connection : DCE_RPC_Conn; -# flow : DCE_RPC_Flow; -#}; +connection DCE_RPC_Conn(bro_analyzer: BroAnalyzer) { + upflow = DCE_RPC_Flow(true); + downflow = DCE_RPC_Flow(false); +}; %include dce_rpc-protocol.pac + +# Now we define the flow: +flow DCE_RPC_Flow(is_orig: bool) { + flowunit = DCE_RPC_PDU(is_orig) withcontext(connection, this); +}; + %include epmapper.pac %include dce_rpc-analyzer.pac diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc_simple.pac b/src/analyzer/protocol/dce-rpc/dce_rpc_simple.pac deleted file mode 100644 index 1bf0387b1d..0000000000 --- a/src/analyzer/protocol/dce-rpc/dce_rpc_simple.pac +++ /dev/null @@ -1,20 +0,0 @@ -%include bro.pac - -%extern{ -#include "events.bif.h" -%} - -analyzer DCE_RPC_Simple withcontext {}; - -%include dce_rpc-protocol.pac - -type DCE_RPC_PDU = record { - # Set header's byteorder to little-endian (or big-endian) to - # avoid cyclic dependency. - header : DCE_RPC_Header; - body : DCE_RPC_Body(header) - &length = header.frag_length - sizeof(header) - - header.auth_length; - auth : DCE_RPC_Auth(header); -} &byteorder = header.byteorder, - &length = header.frag_length; diff --git a/src/analyzer/protocol/dce-rpc/events.bif b/src/analyzer/protocol/dce-rpc/events.bif index bdabb674fa..94fd402dba 100644 --- a/src/analyzer/protocol/dce-rpc/events.bif +++ b/src/analyzer/protocol/dce-rpc/events.bif @@ -2,54 +2,31 @@ ## ## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request ## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%); +event dce_rpc_message%(c: connection, is_orig: bool, ptype_id: count, ptype: DCE_RPC::PType%); ## TODO. ## ## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_message dce_rpc_request ## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dce_rpc_bind%(c: connection, uuid: string%); +event dce_rpc_bind%(c: connection, uuid: string, version: string%); + +event dce_rpc_bind_ack%(c: connection, sec_addr: string%); ## TODO. ## ## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message ## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. event dce_rpc_request%(c: connection, opnum: count, stub: string%); ## TODO. ## ## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message ## dce_rpc_request rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. event dce_rpc_response%(c: connection, opnum: count, stub: string%); ## TODO. ## ## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message ## dce_rpc_request dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); diff --git a/src/analyzer/protocol/dce-rpc/types.bif b/src/analyzer/protocol/dce-rpc/types.bif new file mode 100644 index 0000000000..251b53f952 --- /dev/null +++ b/src/analyzer/protocol/dce-rpc/types.bif @@ -0,0 +1,41 @@ + +module DCE_RPC; + +enum PType %{ + REQUEST, + PING, + RESPONSE, + FAULT, + WORKING, + NOCALL, + REJECT, + ACK, + CL_CANCEL, + FACK, + CANCEL_ACK, + BIND, + BIND_ACK, + BIND_NAK, + ALTER_CONTEXT, + ALTER_CONTEXT_RESP, + SHUTDOWN, + CO_CANCEL, + ORPHANED, +%} + +enum IfID %{ + unknown_if, + epmapper, + lsarpc, + lsa_ds, + mgmt, + netlogon, + samr, + srvsvc, + spoolss, + drs, + winspipe, + wkssvc, + oxid, + ISCMActivator, +%} diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt index 3a0b0e75f0..305e1191f6 100644 --- a/src/analyzer/protocol/smb/CMakeLists.txt +++ b/src/analyzer/protocol/smb/CMakeLists.txt @@ -47,7 +47,6 @@ bro_plugin_pac( smb-pipe.pac smb-mailslot.pac smb-ntlmssp.pac - dce_rpc-protocol.pac smb1-protocol.pac smb1-com-check-directory.pac diff --git a/src/analyzer/protocol/smb/DCE_RPC.cc b/src/analyzer/protocol/smb/DCE_RPC.cc deleted file mode 100644 index dd31cfa8a7..0000000000 --- a/src/analyzer/protocol/smb/DCE_RPC.cc +++ /dev/null @@ -1,588 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "config.h" - -#include -#include -#include - -using namespace std; - -#include "DCE_RPC.h" -#include "Sessions.h" - -#include "analyzer/Manager.h" - -#include "events.bif.h" - -using namespace analyzer::dce_rpc; - -#define xbyte(b, n) (((const u_char*) (b))[n]) - -#define extract_uint16(little_endian, bytes) \ - ((little_endian) ? \ - uint16(xbyte(bytes, 0)) | ((uint16(xbyte(bytes, 1))) << 8) : \ - uint16(xbyte(bytes, 1)) | ((uint16(xbyte(bytes, 0))) << 8)) - -static int uuid_index[] = { - 3, 2, 1, 0, - 5, 4, 7, 6, - 8, 9, 10, 11, - 12, 13, 14, 15 -}; - -const char* analyzer::dce_rpc::uuid_to_string(const u_char* uuid_data) - { - static char s[1024]; - char* sp = s; - - for ( int i = 0; i < 16; ++i ) - { - if ( i == 4 || i == 6 || i == 8 || i == 10 ) - sp += snprintf(sp, s + sizeof(s) - sp, "-"); - - int j = uuid_index[i]; - sp += snprintf(sp, s + sizeof(s) - sp, "%02x", uuid_data[j]); - } - - return s; - } - -UUID::UUID() - { - memset(data, 0, 16); - s = uuid_to_string(data); - } - -UUID::UUID(const u_char d[16]) - { - memcpy(data, d, 16); - s = uuid_to_string(data); - } - -UUID::UUID(const binpac::bytestring& uuid) - { - if ( uuid.length() != 16 ) - reporter->InternalError("UUID length error"); - memcpy(data, uuid.begin(), 16); - s = uuid_to_string(data); - } - -UUID::UUID(const char* str) - { - s = string(str); - const char* sp = str; - int i; - for ( i = 0; i < 16; ++i ) - { - if ( *sp == '-' ) - ++sp; - if ( ! *sp || ! *(sp+1) ) - break; - - data[uuid_index[i]] = - (u_char) (decode_hex(*sp) * 16 + decode_hex(*(sp+1))); - } - - if ( i != 16 ) - reporter->InternalError("invalid UUID string: %s", str); - } - -typedef map uuid_map_t; - -static uuid_map_t& well_known_uuid_map() - { - static uuid_map_t the_map; - static bool initialized = false; - - if ( initialized ) - return the_map; - - using namespace BifEnum; - - the_map[UUID("e1af8308-5d1f-11c9-91a4-08002b14a0fa")] = DCE_RPC_epmapper; - - the_map[UUID("afa8bd80-7d8a-11c9-bef4-08002b102989")] = DCE_RPC_mgmt; - - // It's said that the following interfaces are merely aliases. - the_map[UUID("12345778-1234-abcd-ef00-0123456789ab")] = DCE_RPC_lsarpc; - the_map[UUID("12345678-1234-abcd-ef00-01234567cffb")] = DCE_RPC_netlogon; - the_map[UUID("12345778-1234-abcd-ef00-0123456789ac")] = DCE_RPC_samr; - - // The next group of aliases. - the_map[UUID("4b324fc8-1670-01d3-1278-5a47bf6ee188")] = DCE_RPC_srvsvc; - the_map[UUID("12345678-1234-abcd-ef00-0123456789ab")] = DCE_RPC_spoolss; - the_map[UUID("45f52c28-7f9f-101a-b52b-08002b2efabe")] = DCE_RPC_winspipe; - the_map[UUID("6bffd098-a112-3610-9833-46c3f87e345a")] = DCE_RPC_wkssvc; - - // DRS - NT directory replication service. - the_map[UUID("e3514235-4b06-11d1-ab04-00c04fc2dcd2")] = DCE_RPC_drs; - - // "The IOXIDResolver RPC interface (formerly known as - // IObjectExporter) is remotely used to reach the local object - // resolver (OR)." - the_map[UUID("99fcfec4-5260-101b-bbcb-00aa0021347a")] = DCE_RPC_oxid; - - the_map[UUID("3919286a-b10c-11d0-9ba8-00c04fd92ef5")] = DCE_RPC_lsa_ds; - - the_map[UUID("000001a0-0000-0000-c000-000000000046")] = DCE_RPC_ISCMActivator; - - initialized = true; - return the_map; - } - -// Used to remember mapped DCE/RPC endpoints and parse the follow-up -// connections as DCE/RPC sessions. -map dce_rpc_endpoints; - -static bool is_mapped_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr) - { - return dce_rpc_endpoints.find(addr) != dce_rpc_endpoints.end(); - } - -bool is_mapped_dce_rpc_endpoint(const ConnID* id, TransportProto proto) - { - if ( id->dst_addr.GetFamily() == IPv6 ) - // TODO: Does the protocol support v6 addresses? #773 - return false; - - dce_rpc_endpoint_addr addr; - addr.addr = id->dst_addr; - addr.port = ntohs(id->dst_port); - addr.proto = proto; - - return is_mapped_dce_rpc_endpoint(addr); - } - -static void add_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr, - const UUID& uuid) - { - DEBUG_MSG("Adding endpoint %s @ %s\n", - uuid.to_string(), addr.to_string().c_str()); - dce_rpc_endpoints[addr] = uuid; - - // FIXME: Once we can pass the cookie to the analyzer, we can get rid - // of the dce_rpc_endpoints table. - // FIXME: Don't hard-code the timeout. - - analyzer_mgr->ScheduleAnalyzer(IPAddr(), addr.addr, addr.port, addr.proto, - "DCE_RPC", 5 * 60); - } - -DCE_RPC_Header::DCE_RPC_Header(analyzer::Analyzer* a, const u_char* b) - { - analyzer = a; - bytes = b; - - // This checks whether it's both the first fragment *and* - // the last fragment. - if ( (bytes[3] & 0x3) != 0x3 ) - { - fragmented = 1; - Weird("Fragmented DCE/RPC message"); - } - else - fragmented = 0; - - ptype = (BifEnum::dce_rpc_ptype) bytes[2]; - frag_len = extract_uint16(LittleEndian(), bytes + 8); - } - -DCE_RPC_Session::DCE_RPC_Session(analyzer::Analyzer* a) -: analyzer(a), - if_uuid("00000000-0000-0000-0000-000000000000"), - if_id(BifEnum::DCE_RPC_unknown_if) - { - opnum = -1; - } - -bool DCE_RPC_Session::LooksLikeRPC(int len, const u_char* msg) - { - // if ( ! is_IPC ) - // return false; - - try - { - binpac::DCE_RPC_Simple::DCE_RPC_Header h; - h.Parse(msg, msg + len); - if ( h.rpc_vers() == 5 && h.rpc_vers_minor() == 0 ) - { - if ( h.frag_length() == len ) - return true; - else - { - DEBUG_MSG("length mismatch: %d != %d\n", - h.frag_length(), len); - return false; - } - } - } - catch ( const binpac::Exception& ) - { - // do nothing - } - - return false; - } - -void DCE_RPC_Session::DeliverPDU(int is_orig, int len, const u_char* data) - { - if ( dce_rpc_message ) - { - val_list* vl = new val_list; - vl->append(analyzer->BuildConnVal()); - vl->append(new Val(is_orig, TYPE_BOOL)); - vl->append(new EnumVal(data[2], BifType::Enum::dce_rpc_ptype)); - vl->append(new StringVal(len, (const char*) data)); - - analyzer->ConnectionEvent(dce_rpc_message, vl); - } - - try - { - // TODO: handle incremental input - binpac::DCE_RPC_Simple::DCE_RPC_PDU pdu; - pdu.Parse(data, data + len); - - switch ( pdu.header()->PTYPE() ) { - case binpac::DCE_RPC_Simple::DCE_RPC_BIND: - case binpac::DCE_RPC_Simple::DCE_RPC_ALTER_CONTEXT: - DeliverBind(&pdu); - break; - - case binpac::DCE_RPC_Simple::DCE_RPC_REQUEST: - DeliverRequest(&pdu); - break; - - case binpac::DCE_RPC_Simple::DCE_RPC_RESPONSE: - DeliverResponse(&pdu); - break; - } - } - catch ( const binpac::Exception& e ) - { - analyzer->Weird(e.msg().c_str()); - } - } - -void DCE_RPC_Session::DeliverBind(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu) - { - binpac::DCE_RPC_Simple::DCE_RPC_Bind* bind = pdu->body()->bind(); - - for ( int i = 0; i < bind->p_context_elem()->n_context_elem(); ++i ) - { - binpac::DCE_RPC_Simple::p_cont_elem_t* elem = - (*bind->p_context_elem()->p_cont_elem())[i]; - - if_uuid = UUID(elem->abstract_syntax()->if_uuid().begin()); - uuid_map_t::const_iterator uuid_it = - well_known_uuid_map().find(if_uuid); - - if ( uuid_it == well_known_uuid_map().end() ) - { -#ifdef DEBUG - // conn->Weird(fmt("Unknown DCE_RPC interface %s", - // if_uuid.to_string())); -#endif - if_id = BifEnum::DCE_RPC_unknown_if; - } - else - if_id = uuid_it->second; - - if ( dce_rpc_bind ) - { - val_list* vl = new val_list; - vl->append(analyzer->BuildConnVal()); - vl->append(new StringVal(if_uuid.to_string())); - // vl->append(new EnumVal(if_id, BifType::Enum::dce_rpc_if_id)); - - analyzer->ConnectionEvent(dce_rpc_bind, vl); - } - } - } - -void DCE_RPC_Session::DeliverRequest(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu) - { - binpac::DCE_RPC_Simple::DCE_RPC_Request* req = pdu->body()->request(); - - opnum = req->opnum(); - - if ( dce_rpc_request ) - { - val_list* vl = new val_list; - vl->append(analyzer->BuildConnVal()); - vl->append(new Val(opnum, TYPE_COUNT)); - vl->append(new StringVal(req->stub().length(), - (const char*) req->stub().begin())); - - analyzer->ConnectionEvent(dce_rpc_request, vl); - } - - switch ( if_id ) { - case BifEnum::DCE_RPC_epmapper: - DeliverEpmapperRequest(pdu, req); - break; - - default: - break; - } - } - -void DCE_RPC_Session::DeliverResponse(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu) - { - binpac::DCE_RPC_Simple::DCE_RPC_Response* resp = pdu->body()->response(); - - if ( dce_rpc_response ) - { - val_list* vl = new val_list; - vl->append(analyzer->BuildConnVal()); - vl->append(new Val(opnum, TYPE_COUNT)); - vl->append(new StringVal(resp->stub().length(), - (const char*) resp->stub().begin())); - analyzer->ConnectionEvent(dce_rpc_response, vl); - } - - switch ( if_id ) { - case BifEnum::DCE_RPC_epmapper: - DeliverEpmapperResponse(pdu, resp); - break; - - default: - break; - } - } - -void DCE_RPC_Session::DeliverEpmapperRequest( - const binpac::DCE_RPC_Simple::DCE_RPC_PDU* /* pdu */, - const binpac::DCE_RPC_Simple::DCE_RPC_Request* /* req */) - { - // DEBUG_MSG("Epmapper request opnum = %d\n", req->opnum()); - // ### TODO(rpang): generate an event on epmapper request - } - -void DCE_RPC_Session::DeliverEpmapperResponse( - const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu, - const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp) - { - // DEBUG_MSG("Epmapper request opnum = %d\n", req->opnum()); - switch ( opnum ) { - case 3: // Map - DeliverEpmapperMapResponse(pdu, resp); - break; - } - } - - -void DCE_RPC_Session::DeliverEpmapperMapResponse( - const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu, - const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp) - { - try - { - binpac::DCE_RPC_Simple::epmapper_map_resp epm_resp; - - epm_resp.Parse(resp->stub().begin(), resp->stub().end(), - pdu->byteorder()); - - for ( unsigned int twr_i = 0; - twr_i < epm_resp.towers()->actual_count(); ++twr_i ) - { - binpac::DCE_RPC_Simple::epm_tower* twr = - (*epm_resp.towers()->towers())[twr_i]->tower(); - - mapped.addr = dce_rpc_endpoint_addr(); - mapped.uuid = UUID(); - - for ( int floor_i = 0; floor_i < twr->num_floors(); - ++floor_i ) - { - binpac::DCE_RPC_Simple::epm_floor* floor = - (*twr->floors())[floor_i]; - - switch ( floor->protocol() ) { - case binpac::DCE_RPC_Simple::EPM_PROTOCOL_UUID: - if ( floor_i == 0 ) - mapped.uuid = UUID(floor->lhs()->data()->uuid()->if_uuid()); - break; - - case binpac::DCE_RPC_Simple::EPM_PROTOCOL_TCP: - mapped.addr.port = - floor->rhs()->data()->tcp(); - mapped.addr.proto = TRANSPORT_TCP; - break; - - case binpac::DCE_RPC_Simple::EPM_PROTOCOL_UDP: - mapped.addr.port = - floor->rhs()->data()->udp(); - mapped.addr.proto = TRANSPORT_UDP; - break; - - case binpac::DCE_RPC_Simple::EPM_PROTOCOL_IP: - uint32 hostip = floor->rhs()->data()->ip(); - mapped.addr.addr = IPAddr(IPv4, &hostip, IPAddr::Host); - break; - } - } - - if ( mapped.addr.is_valid_addr() ) - add_dce_rpc_endpoint(mapped.addr, mapped.uuid); - - if ( epm_map_response ) - { - val_list* vl = new val_list; - vl->append(analyzer->BuildConnVal()); - vl->append(new StringVal(mapped.uuid.to_string())); - vl->append(new PortVal(mapped.addr.port, mapped.addr.proto)); - vl->append(new AddrVal(mapped.addr.addr)); - - analyzer->ConnectionEvent(epm_map_response, vl); - } - } - } - catch ( const binpac::Exception& e ) - { - analyzer->Weird(e.msg().c_str()); - } - } - -Contents_DCE_RPC_Analyzer::Contents_DCE_RPC_Analyzer(Connection* conn, - bool orig, DCE_RPC_Session* arg_session, bool speculative) -: tcp::TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig) - { - session = arg_session; - msg_buf = 0; - buf_len = 0; - speculation = speculative ? 0 : 1; - - InitState(); - } - -void Contents_DCE_RPC_Analyzer::InitState() - { - // Allocate space for header. - if ( ! msg_buf ) - { - buf_len = DCE_RPC_HEADER_LENGTH; - msg_buf = new u_char[buf_len]; - } - - buf_n = 0; - msg_len = 0; - hdr = 0; - } - -Contents_DCE_RPC_Analyzer::~Contents_DCE_RPC_Analyzer() - { - delete [] msg_buf; - delete hdr; - } - -void Contents_DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig) - { - tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); - - tcp::TCP_Analyzer* tcp = - static_cast(Parent())->TCP(); - - if ( tcp->HadGap(orig) || tcp->IsPartial() ) - return; - - if ( speculation == 0 ) // undecided - { - if ( ! DCE_RPC_Session::LooksLikeRPC(len, data) ) - speculation = -1; - else - speculation = 1; - } - - if ( speculation < 0 ) - return; - - ASSERT(buf_len >= DCE_RPC_HEADER_LENGTH); - while ( len > 0 ) - { - if ( buf_n < DCE_RPC_HEADER_LENGTH ) - { - while ( buf_n < DCE_RPC_HEADER_LENGTH && len > 0 ) - { - msg_buf[buf_n] = *data; - ++buf_n; ++data; --len; - } - - if ( buf_n < DCE_RPC_HEADER_LENGTH ) - break; - else - { - if ( ! ParseHeader() ) - return; - } - } - - while ( buf_n < msg_len && len > 0 ) - { - msg_buf[buf_n] = *data; - ++buf_n; ++data; --len; - } - - if ( buf_n < msg_len ) - break; - else - { - if ( msg_len > 0 ) - DeliverPDU(msg_len, msg_buf); - // Reset for next message - InitState(); - } - } - } - -void Contents_DCE_RPC_Analyzer::DeliverPDU(int len, const u_char* data) - { - session->DeliverPDU(IsOrig(), len, data); - } - -bool Contents_DCE_RPC_Analyzer::ParseHeader() - { - delete hdr; - hdr = 0; - - if ( msg_buf[0] != 5 ) // DCE/RPC version - { - Conn()->Weird("DCE/RPC_version_error (non-DCE/RPC?)"); - Conn()->SetSkip(1); - msg_len = 0; - return false; - } - - hdr = new DCE_RPC_Header(this, msg_buf); - - msg_len = hdr->FragLen(); - if ( msg_len > buf_len ) - { - u_char* new_msg_buf = new u_char[msg_len]; - memcpy(new_msg_buf, msg_buf, buf_n); - delete [] msg_buf; - buf_len = msg_len; - msg_buf = new_msg_buf; - hdr->SetBytes(new_msg_buf); - } - - return true; - } - -DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn, bool arg_speculative) -: tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn) - { - session = new DCE_RPC_Session(this); - speculative = arg_speculative; - - AddSupportAnalyzer(new Contents_DCE_RPC_Analyzer(conn, true, session, - speculative)); - AddSupportAnalyzer(new Contents_DCE_RPC_Analyzer(conn, false, session, - speculative)); - } - -DCE_RPC_Analyzer::~DCE_RPC_Analyzer() - { - delete session; - } diff --git a/src/analyzer/protocol/smb/DCE_RPC.h b/src/analyzer/protocol/smb/DCE_RPC.h deleted file mode 100644 index cd3910bf42..0000000000 --- a/src/analyzer/protocol/smb/DCE_RPC.h +++ /dev/null @@ -1,191 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#ifndef ANALYZER_PROTOCOL_DCE_RPC_DCE_RPC_H -#define ANALYZER_PROTOCOL_DCE_RPC_DCE_RPC_H - -// NOTE: This is a somewhat crude analyzer for DCE/RPC (used on Microsoft -// Windows systems) and shouldn't be considered as stable. - -#include "NetVar.h" -#include "analyzer/protocol/tcp/TCP.h" -#include "analyzer/protocol/dce-rpc/events.bif.h" -#include "IPAddr.h" - -#include "dce_rpc_simple_pac.h" - - -namespace analyzer { namespace dce_rpc { - -class UUID { -public: - UUID(); - UUID(const u_char data[16]); - UUID(const binpac::bytestring &uuid); - UUID(const char* s); - - const char* to_string() const { return s.c_str(); } - const string& str() const { return s; } - bool operator==(const UUID& u) const - { return s == u.str(); } - bool operator<(const UUID& u) const - { return s < u.str(); } - -protected: - u_char data[16]; - string s; -}; - -const char* uuid_to_string(const u_char* uuid_data); - -struct dce_rpc_endpoint_addr { - // All fields are in host byteorder. - IPAddr addr; - u_short port; - TransportProto proto; - - dce_rpc_endpoint_addr() - { - addr = IPAddr(); - port = 0; - proto = TRANSPORT_UNKNOWN; - } - - bool is_valid_addr() const - { return addr != IPAddr() && port != 0 && proto != TRANSPORT_UNKNOWN; } - - bool operator<(dce_rpc_endpoint_addr const &e) const - { - if ( addr != e.addr ) - return addr < e.addr; - if ( proto != e.proto ) - return proto < e.proto; - if ( port != e.port ) - return port < e.port; - - return false; - } - - string to_string() const - { - static char buf[128]; - snprintf(buf, sizeof(buf), "%s/%d/%s", - addr.AsString().c_str(), port, - proto == TRANSPORT_TCP ? "tcp" : - (proto == TRANSPORT_UDP ? "udp" : "?")); - - return string(buf); - } -}; - -/* -enum DCE_RPC_PTYPE { - DCE_RPC_REQUEST, DCE_RPC_PING, DCE_RPC_RESPONSE, DCE_RPC_FAULT, - DCE_RPC_WORKING, DCE_RPC_NOCALL, DCE_RPC_REJECT, DCE_RPC_ACK, - DCE_RPC_CL_CANCEL, DCE_RPC_FACK, DCE_RPC_CANCEL_ACK, DCE_RPC_BIND, - DCE_RPC_BIND_ACK, DCE_RPC_BIND_NAK, DCE_RPC_ALTER_CONTEXT, - DCE_RPC_ALTER_CONTEXT_RESP, DCE_RPC_SHUTDOWN, DCE_RPC_CO_CANCEL, - DCE_RPC_ORPHANED, -}; -*/ - -#define DCE_RPC_HEADER_LENGTH 16 - -class DCE_RPC_Header { -public: - DCE_RPC_Header(analyzer::Analyzer* a, const u_char* bytes); - - BifEnum::dce_rpc_ptype PTYPE() const { return ptype; } - int FragLen() const { return frag_len; } - int LittleEndian() const { return bytes[4] >> 4; } - bool Fragmented() const { return fragmented; } - - void Weird(const char* msg) { analyzer->Weird(msg); } - void SetBytes(const u_char* b) { bytes = b; } - -protected: - analyzer::Analyzer* analyzer; - const u_char* bytes; - BifEnum::dce_rpc_ptype ptype; - int frag_len; - bool fragmented; -}; - -// Create a general DCE_RPC_Session class so that it can be used in -// case the RPC conversation is tunneled through other connections, -// e.g. through an SMB session. - -class DCE_RPC_Session { -public: - DCE_RPC_Session(analyzer::Analyzer* a); - virtual ~DCE_RPC_Session() {} - virtual void DeliverPDU(int is_orig, int len, const u_char* data); - - static bool LooksLikeRPC(int len, const u_char* msg); - static bool any_dce_rpc_event() - { return dce_rpc_message || dce_rpc_bind || dce_rpc_request; } - -protected: - void DeliverBind(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu); - void DeliverRequest(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu); - void DeliverResponse(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu); - - void DeliverEpmapperRequest( - const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu, - const binpac::DCE_RPC_Simple::DCE_RPC_Request* req); - void DeliverEpmapperResponse( - const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu, - const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp); - void DeliverEpmapperMapResponse( - const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu, - const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp); - - analyzer::Analyzer* analyzer; - UUID if_uuid; - BifEnum::dce_rpc_if_id if_id; - int opnum; - struct { - dce_rpc_endpoint_addr addr; - UUID uuid; - } mapped; -}; - -class Contents_DCE_RPC_Analyzer : public tcp::TCP_SupportAnalyzer { -public: - Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* session, - bool speculative); - ~Contents_DCE_RPC_Analyzer(); - -protected: - virtual void DeliverStream(int len, const u_char* data, bool orig); - virtual void DeliverPDU(int len, const u_char* data); - - void InitState(); - - int speculation; - u_char* msg_buf; - int msg_len; - int buf_n; // number of bytes in msg_buf - int buf_len; // size off msg_buf - DCE_RPC_Header* hdr; - - bool ParseHeader(); - - DCE_RPC_Session* session; -}; - -class DCE_RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer { -public: - DCE_RPC_Analyzer(Connection* conn, bool speculative = false); - ~DCE_RPC_Analyzer(); - - static analyzer::Analyzer* Instantiate(Connection* conn) - { return new DCE_RPC_Analyzer(conn); } - -protected: - DCE_RPC_Session* session; - bool speculative; -}; - -} } // namespace analyzer::* - -#endif /* dce_rpc_h */ diff --git a/src/analyzer/protocol/smb/dce_rpc-protocol.pac b/src/analyzer/protocol/smb/dce_rpc-protocol.pac deleted file mode 100644 index f13311a0fa..0000000000 --- a/src/analyzer/protocol/smb/dce_rpc-protocol.pac +++ /dev/null @@ -1,141 +0,0 @@ -# Definitions for DCE RPC. - -enum dce_rpc_ptype { - DCE_RPC_REQUEST, - DCE_RPC_PING, - DCE_RPC_RESPONSE, - DCE_RPC_FAULT, - DCE_RPC_WORKING, - DCE_RPC_NOCALL, - DCE_RPC_REJECT, - DCE_RPC_ACK, - DCE_RPC_CL_CANCEL, - DCE_RPC_FACK, - DCE_RPC_CANCEL_ACK, - DCE_RPC_BIND, - DCE_RPC_BIND_ACK, - DCE_RPC_BIND_NAK, - DCE_RPC_ALTER_CONTEXT, - DCE_RPC_ALTER_CONTEXT_RESP, - DCE_RPC_SHUTDOWN, - DCE_RPC_CO_CANCEL, - DCE_RPC_ORPHANED, -}; - -type uuid = bytestring &length = 16; - -type context_handle = record { - attrs : uint32; - uuid : bytestring &length = 16; -}; - -#type rpc_if_id_t = record { -# if_uuid : bytestring &length = 16; -# vers_major : uint16; -# vers_minor : uint16; -#}; - -type NDR_Format = record { - intchar : uint8; - floatspec : uint8; - reserved : padding[2]; -} &let { - byteorder = (intchar >> 4) ? littleendian : bigendian; -}; - -#### There might be a endianness problem here: the frag_length -# causes problems despite the NDR_Format having a byteorder set. - -type DCE_RPC_Header = record { - rpc_vers : uint8 &check(rpc_vers == 5); - rpc_vers_minor : uint8; - PTYPE : uint8; - pfc_flags : uint8; - packed_drep : NDR_Format; - frag_length : uint16; - auth_length : uint16; - call_id : uint32; -} &let { - frag = pfc_flags & 4; - lastfrag = (! frag) || (pfc_flags & 2); -} &byteorder = packed_drep.byteorder; - -type Syntax = record { - uuid : bytestring &length = 16; - version : uint32; -}; - -type ContextRequest = record { - id : uint16; - num_syntaxes : uint8; - reserved : padding[1]; - abstract_syntax : Syntax; - transfer_syntaxes : Syntax[num_syntaxes]; -}; - -type ContextReply = record { - ack_result : uint16; - ack_reason : uint16; - syntax : Syntax; -}; - -type ContextList(is_request: bool) = record { - num_contexts : uint8; - reserved : padding[3]; - req_reply : case is_request of { - true -> request_contexts : ContextRequest[num_contexts]; - false -> reply_contexts : ContextReply[num_contexts]; - }; -}; - -type DCE_RPC_Bind = record { - max_xmit_frag : uint16; - max_recv_frag : uint16; - assoc_group_id : uint32; - context_list : ContextList(1); -}; - -type DCE_RPC_Bind_Ack = record { - max_xmit_frag : uint16; - max_recv_frag : uint16; - assoc_group_id : uint32; - sec_addr_length : uint16; - sec_addr : bytestring &length=sec_addr_length; - pad : padding align 4; - contexts : ContextList(0); -}; - -type DCE_RPC_AlterContext = record { - max_xmit_frag : uint16; - max_recv_frag : uint16; - assoc_group_id : uint32; - contexts : ContextList(0); -}; - -type DCE_RPC_Request = record { - alloc_hint : uint32; - context_id : uint16; - opnum : uint16; - # object : uuid; - # stub_pad_0 : padding align 8; - stub : bytestring &restofdata; -}; - -type DCE_RPC_Response = record { - alloc_hint : uint32; - context_id : uint16; - cancel_count : uint8; - reserved : uint8; - # stub_pad_0 : padding align 8; - stub : bytestring &restofdata; -}; - -type DCE_RPC_Body(header: DCE_RPC_Header) = case header.PTYPE of { - DCE_RPC_BIND -> bind : DCE_RPC_Bind; - DCE_RPC_BIND_ACK -> bind_ack : DCE_RPC_Bind_Ack; - DCE_RPC_REQUEST -> request : DCE_RPC_Request; - DCE_RPC_RESPONSE -> response : DCE_RPC_Response; - default -> other : bytestring &restofdata; -}; - -type DCE_RPC_Auth(header: DCE_RPC_Header) = uint8[header.auth_length]; diff --git a/src/analyzer/protocol/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac index cf6915a2d7..b7a64c1924 100644 --- a/src/analyzer/protocol/smb/smb-pipe.pac +++ b/src/analyzer/protocol/smb/smb-pipe.pac @@ -1,11 +1,3 @@ -# this won't work correctly yet, since sometimes the parameters -# field in the transaction takes up all of the data field - -%include dce_rpc-protocol.pac - -%extern{ - #include "DCE_RPC.h" -%} refine connection SMB_Conn += { %member{ @@ -14,9 +6,10 @@ refine connection SMB_Conn += { function get_tree_is_pipe(tree_id: uint16): bool %{ - if ( tree_is_pipe_map.count(tree_id) == 0 ) + if ( tree_is_pipe_map.count(tree_id) > 0 ) + return tree_is_pipe_map.at(tree_id); + else return false; - return tree_is_pipe_map[tree_id]; %} function set_tree_is_pipe(tree_id: uint16, is_pipe: bool): bool @@ -25,72 +18,36 @@ refine connection SMB_Conn += { return true; %} - function proc_smb_pipe_message(val: SMB_Pipe_message, header: SMB_Header): bool + function forward_dce_rpc(pipe_data: bytestring, is_orig: bool): bool %{ - switch ( ${val.rpc_header.PTYPE} ) { - case DCE_RPC_REQUEST: - if ( smb_pipe_request ) - BifEvent::generate_smb_pipe_request(bro_analyzer(), - bro_analyzer()->Conn(), - BuildHeaderVal(header), - ${val.rpc_body.request.opnum}); - break; - case DCE_RPC_RESPONSE: - if ( smb_pipe_response ) - BifEvent::generate_smb_pipe_response(bro_analyzer(), - bro_analyzer()->Conn(), - BuildHeaderVal(header)); - break; - case DCE_RPC_BIND_ACK: - if ( smb_pipe_bind_ack_response ) - BifEvent::generate_smb_pipe_bind_ack_response(bro_analyzer(), - bro_analyzer()->Conn(), - BuildHeaderVal(header)); - break; - case DCE_RPC_BIND: - if ( smb_pipe_bind_request ) - { - // TODO - the version number needs to be calculated properly - if ( ${val.rpc_body.bind.context_list.num_contexts} > 0 ) - { - const char * uuid = analyzer::dce_rpc::uuid_to_string(${val.rpc_body.bind.context_list.request_contexts[0].abstract_syntax.uuid}.begin()); - uint32_t version = ${val.rpc_body.bind.context_list.request_contexts[0].abstract_syntax.version}; - - BifEvent::generate_smb_pipe_bind_request(bro_analyzer(), - bro_analyzer()->Conn(), - BuildHeaderVal(header), - new StringVal(uuid), - new StringVal(fmt("%d.0", version))); - } - } - break; - } - + if ( dcerpc ) + dcerpc->DeliverStream(${pipe_data}.length(), ${pipe_data}.begin(), is_orig); return true; %} }; -type SMB_Pipe_message(header: SMB_Header, byte_count: uint16) = record { - rpc_header : DCE_RPC_Header; - rpc_body : DCE_RPC_Body(rpc_header); + +#type SMB_Pipe_message(header: SMB_Header, byte_count: uint16) = record { +# rpc_header : DCE_RPC_Header; +# rpc_body : DCE_RPC_Body(rpc_header); # pipe_type: case $context.connection.determine_pipe_msg_type(rpc, opnum) of { # 1 -> atsvc_request : AT_SVC_Request(unicode, opnum); # 2 -> atsvc_reply : AT_SVC_Reply(unicode, opnum); # default -> unknown : bytestring &restofdata; # }; -} &let { - proc: bool = $context.connection.proc_smb_pipe_message(this, header); -} &byteorder = littleendian; - -type SMB_RAP_message(unicode: bool, byte_count: uint16) = record { - rap_code : uint16; - param_desc : SMB_string(unicode, offsetof(param_desc)); - data_desc : SMB_string(unicode, offsetof(data_desc)); - data : bytestring &restofdata; -} &byteorder = littleendian; +#} &let { +# proc: bool = $context.connection.proc_smb_pipe_message(this, header); +#} &byteorder = littleendian; +# +#type SMB_RAP_message(unicode: bool, byte_count: uint16) = record { +# rap_code : uint16; +# param_desc : SMB_string(unicode, offsetof(param_desc)); +# data_desc : SMB_string(unicode, offsetof(data_desc)); +# data : bytestring &restofdata; +#} &byteorder = littleendian; type AT_SVC_Request(unicode: bool, opnum: uint8) = record { - empty: padding[1]; + empty: padding[1]; op: case opnum of { 0 -> add : AT_SVC_NetrJobAdd(unicode); default -> unknown : bytestring &restofdata; @@ -124,6 +81,6 @@ type AT_SVC_Reply(unicode: bool, opnum: uint16) = record { }; type AT_SVC_JobID(unicode: bool) = record { - id: uint32; - status: uint32; + id : uint32; + status : uint32; }; diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac index 918fd98169..5cf79562a1 100644 --- a/src/analyzer/protocol/smb/smb.pac +++ b/src/analyzer/protocol/smb/smb.pac @@ -2,6 +2,10 @@ %include bro.pac %extern{ +#include "analyzer/Manager.h" +#include "analyzer/Analyzer.h" +// #include "analyzer/protocol/dce-rpc/DCE_RPC.h" + #include "smb1_events.bif.h" #include "smb2_events.bif.h" @@ -134,3 +138,18 @@ type SMB_Protocol_Identifier(is_orig: bool, msg_len: uint32) = record { flow SMB_Flow(is_orig: bool) { flowunit = SMB_TCP(is_orig) withcontext(connection, this); }; + +refine connection SMB_Conn += { + %member{ + analyzer::Analyzer *dcerpc; + %} + + %init{ + dcerpc = analyzer_mgr->InstantiateAnalyzer("DCE_RPC", bro_analyzer->Conn()); + %} + + %cleanup{ + if ( dcerpc ) + delete dcerpc; + %} +}; diff --git a/src/analyzer/protocol/smb/smb1-com-read-andx.pac b/src/analyzer/protocol/smb/smb1-com-read-andx.pac index 324eb1bb85..2b83fed1dc 100644 --- a/src/analyzer/protocol/smb/smb1-com-read-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-read-andx.pac @@ -80,12 +80,10 @@ type SMB1_read_andx_response(header: SMB_Header) = record { byte_count : uint16; pad : padding to data_offset - SMB_Header_length; - pipe_or_not : case is_pipe of { - true -> pipe_data : SMB_Pipe_message(header, byte_count) &length=data_len; - default -> data : bytestring &length=data_len; - } &requires(data_len); + data : bytestring &length=data_len; } &let { is_pipe : bool = $context.connection.get_tree_is_pipe(header.tid); + pipe_proc : bool = $context.connection.forward_dce_rpc(data, false) &if(is_pipe); padding_len : uint8 = (header.unicode == 1) ? 1 : 0; data_len : uint32 = (data_len_high << 16) + data_len_low; diff --git a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac index 67bc3d4d4b..c2bc9490fa 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac @@ -13,5 +13,5 @@ type SMB1_transaction_secondary_request(header: SMB_Header) = record { pad1 : padding to param_offset - SMB_Header_length; parameters : bytestring &length = param_count; pad2 : padding to data_offset - SMB_Header_length; - data : SMB1_transaction_data(header, data_count, 0, SMB_UNKNOWN); + data : SMB1_transaction_data(header, true, data_count, 0, SMB_UNKNOWN); }; diff --git a/src/analyzer/protocol/smb/smb1-com-transaction.pac b/src/analyzer/protocol/smb/smb1-com-transaction.pac index 4db7a4a209..7319cf8954 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction.pac @@ -4,9 +4,31 @@ enum Trans_subcommands { NT_TRANSACT_CREATE2 = 0x0009, }; - refine connection SMB_Conn += { + %member{ + map is_file_a_pipe; + %} + + function get_is_file_a_pipe(id: uint16): bool + %{ + if ( is_file_a_pipe.count(id) > 0 ) + { + bool is_pipe = is_file_a_pipe.at(id); + is_file_a_pipe.erase(id); + + return is_pipe; + } + else + return false; + %} + + function set_is_file_a_pipe(id: uint16, is_it: bool): bool + %{ + is_file_a_pipe[id] = is_it; + return true; + %} + function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool %{ if ( smb1_transaction_request ) @@ -15,6 +37,7 @@ refine connection SMB_Conn += { BuildHeaderVal(header), smb_string2stringval(${val.name}), ${val.sub_cmd}); + return true; %} @@ -38,14 +61,16 @@ refine connection SMB_Conn += { }; -type SMB1_transaction_data(header: SMB_Header, count: uint16, sub_cmd: uint16, - trans_type: TransactionType) = case trans_type of { -# SMB_MAILSLOT_BROWSE -> mailslot : SMB_MailSlot_message(header.unicode, count); -# SMB_MAILSLOT_LANMAN -> lanman : SMB_MailSlot_message(header.unicode, count); -# SMB_RAP -> rap : SMB_Pipe_message(header.unicode, count); - SMB_PIPE -> pipe : SMB_Pipe_message(header, count); - SMB_UNKNOWN -> unknown : bytestring &restofdata &transient; - default -> data : bytestring &restofdata &transient; +type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub_cmd: uint16, + trans_type: int) = case trans_type of { +# SMB_MAILSLOT_BROWSE -> mailslot : SMB_MailSlot_message(header.unicode, count); +# SMB_MAILSLOT_LANMAN -> lanman : SMB_MailSlot_message(header.unicode, count); +# SMB_RAP -> rap : SMB_Pipe_message(header.unicode, count); + SMB_PIPE -> pipe_data : bytestring &restofdata; + SMB_UNKNOWN -> unknown : bytestring &restofdata &transient; + default -> data : bytestring &restofdata &transient; +} &let { + pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, is_orig) &if(trans_type == SMB_PIPE); }; type SMB1_transaction_setup(header: SMB_Header) = record { @@ -79,9 +104,13 @@ type SMB1_transaction_request(header: SMB_Header) = record { pad1 : padding to param_offset - SMB_Header_length; parameters : bytestring &length = param_count; pad2 : padding to data_offset - SMB_Header_length; - data : SMB1_transaction_data(header, data_count, sub_cmd, determine_transaction_type(setup_count, name)); + data : SMB1_transaction_data(header, true, data_count, sub_cmd, transtype); } &let { sub_cmd : uint16 = setup_count ? setup.op_code : 0; + transtype : int = determine_transaction_type(setup_count, name); + is_pipe : bool = (transtype == SMB_PIPE); + + proc_set_pipe : bool = $context.connection.set_is_file_a_pipe(header.mid, is_pipe); proc : bool = $context.connection.proc_smb1_transaction_request(header, this); }; @@ -104,8 +133,8 @@ type SMB1_transaction_response(header: SMB_Header) = record { pad0 : padding to param_offset - SMB_Header_length; parameters : bytestring &length = param_count; pad1 : padding to data_offset - SMB_Header_length; - data : SMB1_transaction_data(header, data_count, 0, is_tree_a_pipe ? SMB_PIPE : SMB_UNKNOWN)[data_count>0 ? 1 : 0]; + data : SMB1_transaction_data(header, false, data_count, 0, is_pipe ? SMB_PIPE : SMB_UNKNOWN)[data_count>0 ? 1 : 0]; } &let { proc : bool = $context.connection.proc_smb1_transaction_response(header, this); - is_tree_a_pipe: bool = $context.connection.get_tree_is_pipe(header.tid); + is_pipe: bool = $context.connection.get_is_file_a_pipe(header.mid); }; diff --git a/src/analyzer/protocol/smb/smb1-com-write-andx.pac b/src/analyzer/protocol/smb/smb1-com-write-andx.pac index 29905fa3f7..3d4e160968 100644 --- a/src/analyzer/protocol/smb/smb1-com-write-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-write-andx.pac @@ -52,12 +52,11 @@ type SMB1_write_andx_request(header: SMB_Header) = record { byte_count : uint16; pad : padding to data_offset - SMB_Header_length; - pipe_or_not : case is_pipe of { - true -> pipe_data : SMB_Pipe_message(header, byte_count) &length=data_len; - default -> data : bytestring &length=data_len; - } &requires(data_len); + data : bytestring &length=data_len; } &let { is_pipe : bool = $context.connection.get_tree_is_pipe(header.tid); + pipe_proc : bool = $context.connection.forward_dce_rpc(data, true) &if(is_pipe); + data_len : uint32 = (data_len_high << 16) + data_len_low; offset_high : uint32 = (word_count == 0x0E) ? offset_high_tmp : 0; offset : uint64 = (offset_high * 0x10000) + offset_low; diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac index 587fac69cb..10e3a98acf 100644 --- a/src/analyzer/protocol/smb/smb2-com-read.pac +++ b/src/analyzer/protocol/smb/smb2-com-read.pac @@ -67,14 +67,10 @@ type SMB2_read_response(header: SMB2_Header) = record { data_remaining : uint32; reserved : uint32; pad : padding to data_offset - header.head_length; - pipe_or_not : case is_pipe of { - # The SMB_Pipe_message type doesn't support smb2 pipes yet. - #true -> pipe_data : SMB_Pipe_message(header, data_len) &length=data_len; - true -> pipe_data : bytestring &length=data_len; - false -> data : bytestring &length=data_len; - }; + data : bytestring &length=data_len; } &let { - is_pipe: bool = $context.connection.get_tree_is_pipe(header.tree_id); + is_pipe : bool = $context.connection.get_tree_is_pipe(header.tree_id); + pipe_proc : bool = $context.connection.forward_dce_rpc(data, false) &if(is_pipe); proc: bool = $context.connection.proc_smb2_read_response(header, this); }; diff --git a/src/analyzer/protocol/smb/smb2-com-write.pac b/src/analyzer/protocol/smb/smb2-com-write.pac index 3e09cb0145..06cfd1d1d6 100644 --- a/src/analyzer/protocol/smb/smb2-com-write.pac +++ b/src/analyzer/protocol/smb/smb2-com-write.pac @@ -43,14 +43,10 @@ type SMB2_write_request(header: SMB2_Header) = record { channel_info_len : uint16; # ignore flags : uint32; pad : padding to data_offset - header.head_length; - pipe_or_not : case is_pipe of { - # The SMB_Pipe_message type doesn't support smb2 pipes yet. - #true -> pipe_data : SMB_Pipe_message(header, data_len) &length=data_len; - true -> pipe_data : bytestring &length=data_len; - false -> data : bytestring &length=data_len; - }; + data : bytestring &length=data_len; } &let { is_pipe: bool = $context.connection.get_tree_is_pipe(header.tree_id); + pipe_proc : bool = $context.connection.forward_dce_rpc(data, true) &if(is_pipe); proc : bool = $context.connection.proc_smb2_write_request(header, this); }; diff --git a/src/types.bif b/src/types.bif index f2a895f57f..01ad2a2b24 100644 --- a/src/types.bif +++ b/src/types.bif @@ -1,44 +1,5 @@ ##! Declaration of various types that the Bro core uses internally. -enum dce_rpc_ptype %{ - DCE_RPC_REQUEST, - DCE_RPC_PING, - DCE_RPC_RESPONSE, - DCE_RPC_FAULT, - DCE_RPC_WORKING, - DCE_RPC_NOCALL, - DCE_RPC_REJECT, - DCE_RPC_ACK, - DCE_RPC_CL_CANCEL, - DCE_RPC_FACK, - DCE_RPC_CANCEL_ACK, - DCE_RPC_BIND, - DCE_RPC_BIND_ACK, - DCE_RPC_BIND_NAK, - DCE_RPC_ALTER_CONTEXT, - DCE_RPC_ALTER_CONTEXT_RESP, - DCE_RPC_SHUTDOWN, - DCE_RPC_CO_CANCEL, - DCE_RPC_ORPHANED, -%} - -enum dce_rpc_if_id %{ - DCE_RPC_unknown_if, - DCE_RPC_epmapper, - DCE_RPC_lsarpc, - DCE_RPC_lsa_ds, - DCE_RPC_mgmt, - DCE_RPC_netlogon, - DCE_RPC_samr, - DCE_RPC_srvsvc, - DCE_RPC_spoolss, - DCE_RPC_drs, - DCE_RPC_winspipe, - DCE_RPC_wkssvc, - DCE_RPC_oxid, - DCE_RPC_ISCMActivator, -%} - enum rpc_status %{ RPC_SUCCESS, RPC_PROG_UNAVAIL, diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-dcerpc/dce_rpc.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-dcerpc/dce_rpc.log new file mode 100644 index 0000000000..584de66927 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-dcerpc/dce_rpc.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dce_rpc +#open 2016-04-01-05-18-25 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p rtt named_pipe endpoint operation +#types time string addr port addr port interval string string string +1073392738.147860 CXWv6p3arKYeMETxOg 205.227.227.226 49467 205.227.227.243 445 0.004077 \\PIPE\\lsass dssetup DsRolerGetPrimaryDomainInformation +#close 2016-04-01-05-18-25 diff --git a/testing/btest/Traces/smb/dssetup_DsRoleGetPrimaryDomainInformation_standalone_workstation.cap b/testing/btest/Traces/smb/dssetup_DsRoleGetPrimaryDomainInformation_standalone_workstation.cap new file mode 100644 index 0000000000..0bbe41a67d Binary files /dev/null and b/testing/btest/Traces/smb/dssetup_DsRoleGetPrimaryDomainInformation_standalone_workstation.cap differ diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-dcerpc.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-dcerpc.test new file mode 100644 index 0000000000..52f05c57b4 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-dcerpc.test @@ -0,0 +1,5 @@ +# @TEST-EXEC: bro -b -C -r $TRACES/smb/dssetup_DsRoleGetPrimaryDomainInformation_standalone_workstation.cap %INPUT +# @TEST-EXEC: btest-diff dce_rpc.log + +@load base/protocols/dce-rpc +@load base/protocols/smb