librex 0.0.32 → 0.0.33

data/lib/rex/parser/nmap_xml.rb

@@ -59,66 +59,86 @@ class NmapXMLStreamParser
 	end
 
 	def reset_state
-		@host = { "status" => nil, "addrs" => {}, "ports" => [] }
+		@host = { "status" => nil, "addrs" => {}, "ports" => [], "scripts" => {} }
+		@state = nil
 	end
 
 	def tag_start(name, attributes)
-		case name
-		when "address"
-			@host["addrs"][attributes["addrtype"]] = attributes["addr"]
-			if (attributes["addrtype"] =~ /ipv[46]/)
-				@host["addr"] = attributes["addr"]
-			end
-		when "osclass"
-			# If there is more than one, take the highest accuracy.  In case of
-			# a tie, this will have the effect of taking the last one in the
-			# list.  Last is really no better than first but nmap appears to
-			# put OSes in chronological order, at least for Windows.
-			# Accordingly, this will report XP instead of 2000, 7 instead of
-			# Vista, etc, when each has the same accuracy.
-			if (@host["os_accuracy"].to_i <= attributes["accuracy"].to_i)
-				@host["os_vendor"]   = attributes["vendor"]
-				@host["os_family"]   = attributes["osfamily"]
-				@host["os_version"]  = attributes["osgen"]
-				@host["os_accuracy"] = attributes["accuracy"]
-			end
-		when "osmatch"
-			if(attributes["accuracy"].to_i == 100)
-				@host["os_match"] = attributes["name"]
-			end
-		when "uptime"
-			@host["last_boot"]   = attributes["lastboot"]
-		when "hostname"
-			if(attributes["type"] == "PTR")
-				@host["reverse_dns"] = attributes["name"]
-			end
-		when "status"
-			# <status> refers to the liveness of the host; values are "up" or "down"
-			@host["status"] = attributes["state"]
-			@host["status_reason"] = attributes["reason"]
-		when "port"
-			@host["ports"].push(attributes)
-		when "state"
-			# <state> refers to the state of a port; values are "open", "closed", or "filtered"
-			@host["ports"].last["state"] = attributes["state"]
-		when "service"
-			# Store any service and script info with the associated port.  There shouldn't
-			# be any collisions on attribute names here, so just merge them.
-			@host["ports"].last.merge!(attributes)
-		when "script"
-			@host["ports"].last["scripts"] ||= {}
-			@host["ports"].last["scripts"][attributes["id"]] = attributes["output"]
-		when "trace"
-			@host["trace"] = {"port" => attributes["port"], "proto" => attributes["proto"], "hops" => [] }
-		when "hop"
-			if @host["trace"]
-				@host["trace"]["hops"].push(attributes)
+		begin
+			case name
+			when "address"
+				@host["addrs"][attributes["addrtype"]] = attributes["addr"]
+				if (attributes["addrtype"] =~ /ipv[46]/)
+					@host["addr"] = attributes["addr"]
+				end
+			when "osclass"
+				# If there is more than one, take the highest accuracy.  In case of
+				# a tie, this will have the effect of taking the last one in the
+				# list.  Last is really no better than first but nmap appears to
+				# put OSes in chronological order, at least for Windows.
+				# Accordingly, this will report XP instead of 2000, 7 instead of
+				# Vista, etc, when each has the same accuracy.
+				if (@host["os_accuracy"].to_i <= attributes["accuracy"].to_i)
+					@host["os_vendor"]   = attributes["vendor"]
+					@host["os_family"]   = attributes["osfamily"]
+					@host["os_version"]  = attributes["osgen"]
+					@host["os_accuracy"] = attributes["accuracy"]
+				end
+			when "osmatch"
+				if(attributes["accuracy"].to_i == 100)
+					@host["os_match"] = attributes["name"]
+				end
+			when "uptime"
+				@host["last_boot"]   = attributes["lastboot"]
+			when "hostname"
+				if(attributes["type"] == "PTR")
+					@host["reverse_dns"] = attributes["name"]
+				end
+			when "status"
+				# <status> refers to the liveness of the host; values are "up" or "down"
+				@host["status"] = attributes["state"]
+				@host["status_reason"] = attributes["reason"]
+			when "port"
+				@host["ports"].push(attributes)
+			when "state"
+				# <state> refers to the state of a port; values are "open", "closed", or "filtered"
+				@host["ports"].last["state"] = attributes["state"]
+			when "service"
+				# Store any service and script info with the associated port.  There shouldn't
+				# be any collisions on attribute names here, so just merge them.
+				@host["ports"].last.merge!(attributes)
+			when "script"
+				# Associate scripts under a port tag with the appropriate port.
+				# Other scripts from <hostscript> tags can only be associated with
+				# the host and scripts from <postscript> tags don't really belong
+				# to anything, so ignore them
+				if @state == :in_port_tag
+					@host["ports"].last["scripts"] ||= {}
+					@host["ports"].last["scripts"][attributes["id"]] = attributes["output"]
+				elsif @host
+					@host["scripts"] ||= {}
+					@host["scripts"][attributes["id"]] = attributes["output"]
+				else
+					# post scripts are used for things like comparing all the found
+					# ssh keys to see if multiple hosts have the same key
+					# fingerprint.  Ignore them.
+				end
+			when "trace"
+				@host["trace"] = {"port" => attributes["port"], "proto" => attributes["proto"], "hops" => [] }
+			when "hop"
+				if @host["trace"]
+					@host["trace"]["hops"].push(attributes)
+				end
 			end
+		rescue NoMethodError => err
+			raise err unless err.message =~ /NilClass/
 		end
 	end
 
 	def tag_end(name)
 		case name
+		when "port"
+			@state = nil
 		when "host"
 			on_found_host.call(@host) if on_found_host
 			reset_state

data/lib/rex/parser/nokogiri_doc_mixin.rb

@@ -0,0 +1,99 @@
+module Rex
+	module Parser
+
+		# Determines if Nokogiri is available and if it's a minimum
+		# acceptable version.
+		def self.load_nokogiri
+			@nokogiri_loaded = false
+			begin
+				require 'nokogiri'
+				major,minor = Nokogiri::VERSION.split(".")[0,2]
+				if major.to_i >= 1
+					if minor.to_i >= 4
+						@nokogiri_loaded = true
+					end
+				end
+			rescue LoadError => e
+				@nokogiri_loaded = false
+				@nokogiri_error  = e
+			end
+			@nokogiri_loaded
+		end
+
+		def self.nokogiri_loaded
+			!!@nokogiri_loaded
+		end
+
+		module NokogiriDocMixin
+
+			# Set up the getters and instance variables for the document
+			eval("attr_reader :args, :db, :state, :block, :report_data")
+
+			def initialize(args,db,&block)
+				@args = args
+				@db = db
+				@state = {}
+				@state[:current_tag] = {}
+				@block = block if block
+				@report_data = {:wspace => args[:wspace]}
+				super()
+			end
+
+			# Turn XML attribute pairs in to more workable hashes (there
+			# are better Enumerable tricks in Ruby 1.9, but ignoring for now)
+			def attr_hash(attrs)
+				h = {}
+				attrs.each {|k,v| h[k] = v}
+				h
+			end
+
+			def valid_ip(addr)
+				valid = false
+				valid = ::Rex::Socket::RangeWalker.new(addr).valid? rescue false
+				!!valid
+			end
+
+			# If there's an address, it's not on the blacklist, 
+			# it has ports, and the port list isn't
+			# empty... it's okay.
+			def host_is_okay
+				return false unless @report_data[:host]
+				return false unless valid_ip(@report_data[:host])
+				return false unless @report_data[:state] == Msf::HostState::Alive
+				if @args[:blacklist]
+					return false if @args[:blacklist].include?(@report_data[:host])
+				end
+				return false unless @report_data[:ports]
+				return false if @report_data[:ports].empty?
+				return true
+			end
+
+			# XXX: Define this
+			def determine_port_state(v)
+				return v
+			end
+
+			# Nokogiri 1.4.4 (and presumably beyond) generates attrs as pairs,
+			# like [["value1","foo"],["value2","bar"]] (but not hashes for some 
+			# reason). 1.4.3.1 (and presumably 1.4.3.x and prior) generates attrs
+			# as a flat array of strings. We want array_pairs.
+			def normalize_attrs(attrs)
+				attr_pairs = []
+				case attrs.first
+				when Array, NilClass
+					attr_pairs = attrs
+				when String
+					attrs.each_index {|i| 
+						next if i % 2 == 0
+						attr_pairs << [attrs[i-1],attrs[i]]
+					}
+				else # Wow, yet another format! It's either from the distant past or distant future.
+					raise ::Msf::DBImportError.new("Unknown format for XML attributes. Please check your Nokogiri version.")
+				end
+				return attr_pairs
+			end
+
+
+		end
+	end
+end

data/lib/rex/post/meterpreter/extensions/stdapi/fs/file_stat.rb

@@ -18,7 +18,7 @@ module Fs
 ###
 class FileStat < Rex::Post::FileStat
 
-	class <<self
+	class << self
 		attr_accessor :client
 	end
 

data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb

@@ -43,6 +43,7 @@ class DLL
 	include DLLHelper
 
 	attr_accessor :functions
+	attr_reader   :dll_path
 
 	def initialize(dll_path, client, win_consts) #
 		@dll_path = dll_path

data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb.ut.rb

@@ -3,6 +3,7 @@
 $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..','..','..','..','..', 'lib')) 
 
 require 'rex/post/meterpreter/extensions/stdapi/railgun/dll'
+require 'rex/post/meterpreter/extensions/stdapi/railgun/mock_magic'
 require 'test/unit'
 
 module Rex
@@ -13,51 +14,10 @@ module Stdapi
 module Railgun
 class DLL::UnitTest < Test::Unit::TestCase
 
-	TLV_TYPE_NAMES = {
-		TLV_TYPE_RAILGUN_SIZE_OUT => "TLV_TYPE_RAILGUN_SIZE_OUT",
-		TLV_TYPE_RAILGUN_STACKBLOB => "TLV_TYPE_RAILGUN_STACKBLOB",
-		TLV_TYPE_RAILGUN_BUFFERBLOB_IN => "TLV_TYPE_RAILGUN_BUFFERBLOB_IN", 
-		TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT => "TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT",
-		TLV_TYPE_RAILGUN_DLLNAME => "TLV_TYPE_RAILGUN_DLLNAME",
-		TLV_TYPE_RAILGUN_FUNCNAME => "TLV_TYPE_RAILGUN_FUNCNAME",
-	}
-
-	class MockRailgunClient
-		attr_reader :platform, :check_request, :response_tlvs
-
-		def initialize(platform, response_tlvs, check_request)
-			@check_request = check_request
-			@response_tlvs = response_tlvs
-			@platform = platform 
-		end
-
-		def send_request(request)
-			check_request.call(request)
-
-			(Class.new do
-				def initialize(response_tlvs)
-					@response_tlvs = response_tlvs
-				end
-				def get_tlv_value(type)
-					return @response_tlvs[type]
-				end
-			end).new(@response_tlvs)
-		end
-	end
-
-	def make_mock_client(platform = "x86/win32", target_request_tlvs = [], response_tlvs = [])
-		check_request = lambda do |request|
-			target_request_tlvs.each_pair do |type, target_value|
-				assert_equal(target_value, request.get_tlv_value(type),
-					"process_function_call should send to client appropriate #{TLV_TYPE_NAMES[type]}")
-			end
-		end
-
-		return  MockRailgunClient.new(platform, response_tlvs, check_request)
-	end
+	include MockMagic
 
 	def test_add_function
-		function_descriptions.each do |func|
+		mock_function_descriptions.each do |func|
 			dll = DLL.new(func[:dll_name], make_mock_client(func[:platform]), nil)
 			dll.add_function(func[:name], func[:return_type], func[:params])
 
@@ -67,7 +27,7 @@ class DLL::UnitTest < Test::Unit::TestCase
 	end
 
 	def test_method_missing
-		function_descriptions.each do |func|
+		mock_function_descriptions.each do |func|
 			client = make_mock_client(func[:platform], func[:request_to_client], func[:response_from_client])
 			dll = DLL.new(func[:dll_name], client, nil)
 
@@ -82,90 +42,6 @@ class DLL::UnitTest < Test::Unit::TestCase
 				"process_function_call convert function result to a ruby hash")
 		end
 	end
-
-	# These are sample descriptions of functions to use for testing.
-	def function_descriptions
-		[
-			{
-				:platform => "x86/win32",
-				:name => "LookupAccountSidA",
-				:params => [
-					["PCHAR","lpSystemName","in"],
-					["LPVOID","Sid","in"],
-					["PCHAR","Name","out"],
-					["PDWORD","cchName","inout"],
-					["PCHAR","ReferencedDomainName","out"],
-					["PDWORD","cchReferencedDomainName","inout"],
-					["PBLOB","peUse","out"],
-				],
-				:return_type => "BOOL",
-				:dll_name => "advapi32",
-				:ruby_args => [nil, 1371864, 100, 100, 100, 100, 1],
-				:request_to_client => {
-					TLV_TYPE_RAILGUN_SIZE_OUT => 201,
-					TLV_TYPE_RAILGUN_STACKBLOB => "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD8\xEE\x14\x00\x02\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00d\x00\x00\x00\x03\x00\x00\x00\b\x00\x00\x00\x02\x00\x00\x00\xC8\x00\x00\x00",
-					TLV_TYPE_RAILGUN_BUFFERBLOB_IN => "",
-					TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT => "d\x00\x00\x00\x00\x00\x00\x00d\x00\x00\x00\x00\x00\x00\x00",
-					TLV_TYPE_RAILGUN_DLLNAME => "advapi32",
-					TLV_TYPE_RAILGUN_FUNCNAME => "LookupAccountSidA"
-				},
-				:response_from_client => {
-					TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT => "\x06\x00\x00\x00\x00\x00\x00\x00\f\x00\x00\x00\x00\x00\x00\x00",
-					TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT => "SYSTEM\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANT AUTHORITY\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x05",
-					TLV_TYPE_RAILGUN_BACK_RET => 1,
-					TLV_TYPE_RAILGUN_BACK_ERR => 997
-				},
-				:returned_hash => {
-					"GetLastError" => 997,
-					"return" => true,
-					"Name" => "SYSTEM",
-					"ReferencedDomainName" => "NT AUTHORITY",
-					"peUse" => "\x05",
-					"cchName" => 6,
-					"cchReferencedDomainName" => 12
-				},
-			},
-			{
-				:platform => 'x64/win64',
-				:name => 'LookupAccountSidA',
-				:params => [
-					["PCHAR", "lpSystemName", "in"],
-					["LPVOID", "Sid", "in"],
-					["PCHAR", "Name", "out"],
-					["PDWORD", "cchName", "inout"],
-					["PCHAR", "ReferencedDomainName", "out"],
-					["PDWORD", "cchReferencedDomainName", "inout"],
-					["PBLOB", "peUse", "out"]
-				],
-				:return_type => 'BOOL',
-				:dll_name => 'advapi32',
-				:ruby_args => [nil, 1631552, 100, 100, 100, 100, 1],
-				:request_to_client => {
-					TLV_TYPE_RAILGUN_SIZE_OUT => 201,
-					TLV_TYPE_RAILGUN_STACKBLOB => "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\xE5\x18\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00d\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\b\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\xC8\x00\x00\x00\x00\x00\x00\x00",
-					TLV_TYPE_RAILGUN_BUFFERBLOB_IN => "",
-					TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT => "d\x00\x00\x00\x00\x00\x00\x00d\x00\x00\x00\x00\x00\x00\x00",
-					TLV_TYPE_RAILGUN_DLLNAME => 'advapi32',
-					TLV_TYPE_RAILGUN_FUNCNAME => 'LookupAccountSidA',
-				},
-				:response_from_client => {
-					TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT => "\x06\x00\x00\x00\x00\x00\x00\x00\f\x00\x00\x00\x00\x00\x00\x00",
-					TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT => "SYSTEM\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANT AUTHORITY\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x05",
-					TLV_TYPE_RAILGUN_BACK_RET => 1,
-					TLV_TYPE_RAILGUN_BACK_ERR => 0,
-				},
-				:returned_hash => {
-					"GetLastError"=>0,
-					"return"=>true,
-					"Name"=>"SYSTEM",
-					"ReferencedDomainName"=>"NT AUTHORITY",
-					"peUse"=>"\x05",
-					"cchName"=>6,
-					"cchReferencedDomainName"=>12
-				},
-			},
-		]
-	end
 end
 end
 end

data/lib/rex/post/meterpreter/extensions/stdapi/railgun/mock_magic.rb

@@ -0,0 +1,146 @@
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Railgun
+
+require 'rex/post/meterpreter/extensions/stdapi/railgun/tlv'
+
+#
+# This mixin serves as a means of providing common mock objects and utilities
+# relevant to railgun until a better home is decided upon
+# 
+module MockMagic
+	
+	TLV_TYPE_NAMES = {
+		TLV_TYPE_RAILGUN_SIZE_OUT => "TLV_TYPE_RAILGUN_SIZE_OUT",
+		TLV_TYPE_RAILGUN_STACKBLOB => "TLV_TYPE_RAILGUN_STACKBLOB",
+		TLV_TYPE_RAILGUN_BUFFERBLOB_IN => "TLV_TYPE_RAILGUN_BUFFERBLOB_IN", 
+		TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT => "TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT",
+		TLV_TYPE_RAILGUN_DLLNAME => "TLV_TYPE_RAILGUN_DLLNAME",
+		TLV_TYPE_RAILGUN_FUNCNAME => "TLV_TYPE_RAILGUN_FUNCNAME",
+	}
+
+	class MockRailgunClient
+		attr_reader :platform, :check_request, :response_tlvs
+
+		def initialize(platform, response_tlvs, check_request)
+			@check_request = check_request
+			@response_tlvs = response_tlvs
+			@platform = platform 
+		end
+
+		def send_request(request)
+			check_request.call(request)
+
+			(Class.new do
+				def initialize(response_tlvs)
+					@response_tlvs = response_tlvs
+				end
+				def get_tlv_value(type)
+					return @response_tlvs[type]
+				end
+			end).new(@response_tlvs)
+		end
+	end
+
+	def make_mock_client(platform = "x86/win32", target_request_tlvs = [], response_tlvs = [])
+		check_request = lambda do |request|
+			target_request_tlvs.each_pair do |type, target_value|
+				assert_equal(target_value, request.get_tlv_value(type),
+					"process_function_call should send to client appropriate #{TLV_TYPE_NAMES[type]}")
+			end
+		end
+
+		return  MockRailgunClient.new(platform, response_tlvs, check_request)
+	end
+
+	# These are sample descriptions of functions to use for testing.
+	# the definitions include everything needed to mock and end to end test
+	def mock_function_descriptions
+		[
+			{
+				:platform => "x86/win32",
+				:name => "LookupAccountSidA",
+				:params => [
+					["PCHAR","lpSystemName","in"],
+					["LPVOID","Sid","in"],
+					["PCHAR","Name","out"],
+					["PDWORD","cchName","inout"],
+					["PCHAR","ReferencedDomainName","out"],
+					["PDWORD","cchReferencedDomainName","inout"],
+					["PBLOB","peUse","out"],
+				],
+				:return_type => "BOOL",
+				:dll_name => "advapi32",
+				:ruby_args => [nil, 1371864, 100, 100, 100, 100, 1],
+				:request_to_client => {
+					TLV_TYPE_RAILGUN_SIZE_OUT => 201,
+					TLV_TYPE_RAILGUN_STACKBLOB => "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD8\xEE\x14\x00\x02\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00d\x00\x00\x00\x03\x00\x00\x00\b\x00\x00\x00\x02\x00\x00\x00\xC8\x00\x00\x00",
+					TLV_TYPE_RAILGUN_BUFFERBLOB_IN => "",
+					TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT => "d\x00\x00\x00\x00\x00\x00\x00d\x00\x00\x00\x00\x00\x00\x00",
+					TLV_TYPE_RAILGUN_DLLNAME => "advapi32",
+					TLV_TYPE_RAILGUN_FUNCNAME => "LookupAccountSidA"
+				},
+				:response_from_client => {
+					TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT => "\x06\x00\x00\x00\x00\x00\x00\x00\f\x00\x00\x00\x00\x00\x00\x00",
+					TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT => "SYSTEM\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANT AUTHORITY\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x05",
+					TLV_TYPE_RAILGUN_BACK_RET => 1,
+					TLV_TYPE_RAILGUN_BACK_ERR => 997
+				},
+				:returned_hash => {
+					"GetLastError" => 997,
+					"return" => true,
+					"Name" => "SYSTEM",
+					"ReferencedDomainName" => "NT AUTHORITY",
+					"peUse" => "\x05",
+					"cchName" => 6,
+					"cchReferencedDomainName" => 12
+				},
+			},
+			{
+				:platform => 'x64/win64',
+				:name => 'LookupAccountSidA',
+				:params => [
+					["PCHAR", "lpSystemName", "in"],
+					["LPVOID", "Sid", "in"],
+					["PCHAR", "Name", "out"],
+					["PDWORD", "cchName", "inout"],
+					["PCHAR", "ReferencedDomainName", "out"],
+					["PDWORD", "cchReferencedDomainName", "inout"],
+					["PBLOB", "peUse", "out"]
+				],
+				:return_type => 'BOOL',
+				:dll_name => 'advapi32',
+				:ruby_args => [nil, 1631552, 100, 100, 100, 100, 1],
+				:request_to_client => {
+					TLV_TYPE_RAILGUN_SIZE_OUT => 201,
+					TLV_TYPE_RAILGUN_STACKBLOB => "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\xE5\x18\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00d\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\b\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\xC8\x00\x00\x00\x00\x00\x00\x00",
+					TLV_TYPE_RAILGUN_BUFFERBLOB_IN => "",
+					TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT => "d\x00\x00\x00\x00\x00\x00\x00d\x00\x00\x00\x00\x00\x00\x00",
+					TLV_TYPE_RAILGUN_DLLNAME => 'advapi32',
+					TLV_TYPE_RAILGUN_FUNCNAME => 'LookupAccountSidA',
+				},
+				:response_from_client => {
+					TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT => "\x06\x00\x00\x00\x00\x00\x00\x00\f\x00\x00\x00\x00\x00\x00\x00",
+					TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT => "SYSTEM\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANT AUTHORITY\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x05",
+					TLV_TYPE_RAILGUN_BACK_RET => 1,
+					TLV_TYPE_RAILGUN_BACK_ERR => 0,
+				},
+				:returned_hash => {
+					"GetLastError"=>0,
+					"return"=>true,
+					"Name"=>"SYSTEM",
+					"ReferencedDomainName"=>"NT AUTHORITY",
+					"peUse"=>"\x05",
+					"cchName"=>6,
+					"cchReferencedDomainName"=>12
+				},
+			},
+		]
+	end
+
+end
+
+end; end; end; end; end; end;