RubyGems - ruby_smb - Versions diffs - 2.0.2 → 2.0.3 - Mend

ruby_smb 2.0.2 → 2.0.3

Files changed (110) hide show

checksums.yaml +4 -4
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +0 -0
data/examples/anonymous_auth.rb +3 -3
data/examples/append_file.rb +10 -8
data/examples/authenticate.rb +9 -5
data/examples/delete_file.rb +8 -6
data/examples/enum_registry_key.rb +5 -4
data/examples/enum_registry_values.rb +5 -4
data/examples/list_directory.rb +8 -6
data/examples/negotiate_with_netbios_service.rb +9 -5
data/examples/net_share_enum_all.rb +6 -4
data/examples/pipes.rb +11 -12
data/examples/query_service_status.rb +64 -0
data/examples/read_file.rb +8 -6
data/examples/read_registry_key_value.rb +6 -5
data/examples/rename_file.rb +9 -7
data/examples/tree_connect.rb +7 -5
data/examples/write_file.rb +9 -7
data/lib/ruby_smb/client.rb +72 -43
data/lib/ruby_smb/client/negotiation.rb +1 -0
data/lib/ruby_smb/dcerpc.rb +2 -0
data/lib/ruby_smb/dcerpc/error.rb +3 -0
data/lib/ruby_smb/dcerpc/ndr.rb +209 -44
data/lib/ruby_smb/dcerpc/request.rb +13 -0
data/lib/ruby_smb/dcerpc/rpc_security_attributes.rb +34 -0
data/lib/ruby_smb/dcerpc/rrp_unicode_string.rb +9 -6
data/lib/ruby_smb/dcerpc/svcctl.rb +479 -0
data/lib/ruby_smb/dcerpc/svcctl/change_service_config_w_request.rb +48 -0
data/lib/ruby_smb/dcerpc/svcctl/change_service_config_w_response.rb +26 -0
data/lib/ruby_smb/dcerpc/svcctl/close_service_handle_request.rb +25 -0
data/lib/ruby_smb/dcerpc/svcctl/close_service_handle_response.rb +26 -0
data/lib/ruby_smb/dcerpc/svcctl/control_service_request.rb +26 -0
data/lib/ruby_smb/dcerpc/svcctl/control_service_response.rb +26 -0
data/lib/ruby_smb/dcerpc/svcctl/open_sc_manager_w_request.rb +35 -0
data/lib/ruby_smb/dcerpc/svcctl/open_sc_manager_w_response.rb +23 -0
data/lib/ruby_smb/dcerpc/svcctl/open_service_w_request.rb +31 -0
data/lib/ruby_smb/dcerpc/svcctl/open_service_w_response.rb +23 -0
data/lib/ruby_smb/dcerpc/svcctl/query_service_config_w_request.rb +25 -0
data/lib/ruby_smb/dcerpc/svcctl/query_service_config_w_response.rb +44 -0
data/lib/ruby_smb/dcerpc/svcctl/query_service_status_request.rb +23 -0
data/lib/ruby_smb/dcerpc/svcctl/query_service_status_response.rb +27 -0
data/lib/ruby_smb/dcerpc/svcctl/service_status.rb +25 -0
data/lib/ruby_smb/dcerpc/svcctl/start_service_w_request.rb +27 -0
data/lib/ruby_smb/dcerpc/svcctl/start_service_w_response.rb +25 -0
data/lib/ruby_smb/dcerpc/winreg.rb +98 -17
data/lib/ruby_smb/dcerpc/winreg/create_key_request.rb +73 -0
data/lib/ruby_smb/dcerpc/winreg/create_key_response.rb +36 -0
data/lib/ruby_smb/dcerpc/winreg/enum_key_request.rb +1 -1
data/lib/ruby_smb/dcerpc/winreg/enum_value_request.rb +1 -1
data/lib/ruby_smb/dcerpc/winreg/enum_value_response.rb +1 -1
data/lib/ruby_smb/dcerpc/winreg/open_root_key_request.rb +4 -4
data/lib/ruby_smb/dcerpc/winreg/query_info_key_request.rb +1 -1
data/lib/ruby_smb/dcerpc/winreg/query_value_request.rb +7 -6
data/lib/ruby_smb/dcerpc/winreg/query_value_response.rb +10 -10
data/lib/ruby_smb/dcerpc/winreg/save_key_request.rb +37 -0
data/lib/ruby_smb/dcerpc/winreg/save_key_response.rb +23 -0
data/lib/ruby_smb/dispatcher/base.rb +1 -1
data/lib/ruby_smb/dispatcher/socket.rb +1 -1
data/lib/ruby_smb/field/stringz16.rb +17 -1
data/lib/ruby_smb/nbss/session_header.rb +4 -4
data/lib/ruby_smb/smb1/file.rb +2 -10
data/lib/ruby_smb/smb1/pipe.rb +2 -0
data/lib/ruby_smb/smb2/file.rb +25 -17
data/lib/ruby_smb/smb2/pipe.rb +3 -0
data/lib/ruby_smb/smb2/tree.rb +9 -3
data/lib/ruby_smb/version.rb +1 -1
data/spec/lib/ruby_smb/client_spec.rb +161 -60
data/spec/lib/ruby_smb/dcerpc/ndr_spec.rb +1396 -77
data/spec/lib/ruby_smb/dcerpc/rpc_security_attributes_spec.rb +161 -0
data/spec/lib/ruby_smb/dcerpc/rrp_unicode_string_spec.rb +49 -12
data/spec/lib/ruby_smb/dcerpc/svcctl/change_service_config_w_request_spec.rb +191 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/change_service_config_w_response_spec.rb +38 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/close_service_handle_request_spec.rb +30 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/close_service_handle_response_spec.rb +38 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/control_service_request_spec.rb +39 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/control_service_response_spec.rb +38 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/open_sc_manager_w_request_spec.rb +78 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/open_sc_manager_w_response_spec.rb +38 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/open_service_w_request_spec.rb +59 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/open_service_w_response_spec.rb +38 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/query_service_config_w_request_spec.rb +38 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/query_service_config_w_response_spec.rb +152 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/query_service_status_request_spec.rb +30 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/query_service_status_response_spec.rb +38 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/service_status_spec.rb +72 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/start_service_w_request_spec.rb +46 -0
data/spec/lib/ruby_smb/dcerpc/svcctl/start_service_w_response_spec.rb +30 -0
data/spec/lib/ruby_smb/dcerpc/svcctl_spec.rb +512 -0
data/spec/lib/ruby_smb/dcerpc/winreg/create_key_request_spec.rb +110 -0
data/spec/lib/ruby_smb/dcerpc/winreg/create_key_response_spec.rb +44 -0
data/spec/lib/ruby_smb/dcerpc/winreg/enum_key_request_spec.rb +0 -4
data/spec/lib/ruby_smb/dcerpc/winreg/enum_value_request_spec.rb +2 -2
data/spec/lib/ruby_smb/dcerpc/winreg/enum_value_response_spec.rb +2 -2
data/spec/lib/ruby_smb/dcerpc/winreg/open_root_key_request_spec.rb +9 -4
data/spec/lib/ruby_smb/dcerpc/winreg/query_info_key_request_spec.rb +0 -4
data/spec/lib/ruby_smb/dcerpc/winreg/query_value_request_spec.rb +17 -17
data/spec/lib/ruby_smb/dcerpc/winreg/query_value_response_spec.rb +11 -23
data/spec/lib/ruby_smb/dcerpc/winreg/save_key_request_spec.rb +57 -0
data/spec/lib/ruby_smb/dcerpc/winreg/save_key_response_spec.rb +22 -0
data/spec/lib/ruby_smb/dcerpc/winreg_spec.rb +215 -41
data/spec/lib/ruby_smb/dispatcher/socket_spec.rb +10 -10
data/spec/lib/ruby_smb/field/stringz16_spec.rb +12 -0
data/spec/lib/ruby_smb/nbss/session_header_spec.rb +4 -11
data/spec/lib/ruby_smb/smb1/pipe_spec.rb +7 -0
data/spec/lib/ruby_smb/smb2/file_spec.rb +60 -6
data/spec/lib/ruby_smb/smb2/pipe_spec.rb +7 -0
data/spec/lib/ruby_smb/smb2/tree_spec.rb +35 -1
metadata +72 -2
metadata.gz.sig +0 -0

data/lib/ruby_smb/dcerpc/svcctl/start_service_w_request.rb ADDED

@@ -0,0 +1,27 @@
+require 'ruby_smb/dcerpc/ndr'
+module RubySMB
+  module Dcerpc
+    module Svcctl
+      # [3.1.4.19 RStartServiceW (Opnum 19)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/d9be95a2-cf01-4bdc-b30f-6fe4b37ada16)
+      class StartServiceWRequest < BinData::Record
+        attr_reader :opnum
+        endian :little
+        sc_rpc_handle       :h_service
+        uint32              :argc
+        ndr_lp_string_ptrsw :argv
+        def initialize_instance
+          super
+          @opnum = START_SERVICE_W
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/svcctl/start_service_w_response.rb ADDED

@@ -0,0 +1,25 @@
+require 'ruby_smb/dcerpc/ndr'
+module RubySMB
+  module Dcerpc
+    module Svcctl
+      # [3.1.4.19 RStartServiceW (Opnum 19)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/d9be95a2-cf01-4bdc-b30f-6fe4b37ada16)
+      class StartServiceWResponse < BinData::Record
+        attr_reader :opnum
+        endian :little
+        uint32 :error_status
+        def initialize_instance
+          super
+          @opnum = START_SERVICE_W
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/winreg.rb CHANGED

@@ -13,11 +13,13 @@ module RubySMB
       OPEN_HKPD             = 0x03
       OPEN_HKU              = 0x04
       REG_CLOSE_KEY         = 0x05
+      REG_CREATE_KEY        = 0x06
       REG_ENUM_KEY          = 0x09
       REG_ENUM_VALUE        = 0x0a
       REG_OPEN_KEY          = 0x0f
       REG_QUERY_INFO_KEY    = 0x10
       REG_QUERY_VALUE       = 0x11
+      REG_SAVE_KEY          = 0x14
       OPEN_HKCC             = 0x1b
       OPEN_HKPT             = 0x20
       OPEN_HKPN             = 0x21
@@ -37,6 +39,10 @@ module RubySMB
       require 'ruby_smb/dcerpc/winreg/query_info_key_response'
       require 'ruby_smb/dcerpc/winreg/query_value_request'
       require 'ruby_smb/dcerpc/winreg/query_value_response'
+      require 'ruby_smb/dcerpc/winreg/create_key_request'
+      require 'ruby_smb/dcerpc/winreg/create_key_response'
+      require 'ruby_smb/dcerpc/winreg/save_key_request'
+      require 'ruby_smb/dcerpc/winreg/save_key_response'
       ROOT_KEY_MAP = {
         "HKEY_CLASSES_ROOT"         => OPEN_HKCR,
@@ -125,7 +131,9 @@ module RubySMB
       # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
       def query_value(handle, value_name)
         query_value_request_packet = RubySMB::Dcerpc::Winreg::QueryValueRequest.new(hkey: handle, lp_value_name: value_name)
-        query_value_request_packet.lp_data.referent_identifier = 0
+        query_value_request_packet.lp_type = 0
+        query_value_request_packet.lpcb_data = 0
+        query_value_request_packet.lpcb_len = 0
         response = dcerpc_request(query_value_request_packet)
         begin
           query_value_response = RubySMB::Dcerpc::Winreg::QueryValueResponse.read(response)
@@ -137,9 +145,9 @@ module RubySMB
             "#{WindowsError::Win32.find_by_retval(query_value_response.error_status.value).join(',')}"
         end
-        query_value_request_packet = RubySMB::Dcerpc::Winreg::QueryValueRequest.new(hkey: handle, lp_value_name: value_name)
         query_value_request_packet.lpcb_data = query_value_response.lpcb_data
-        query_value_request_packet.lp_data.max_count = query_value_response.lpcb_data.referent
+        query_value_request_packet.lp_data = []
+        query_value_request_packet.lp_data.referent.max_count = query_value_response.lpcb_data.referent
         response = dcerpc_request(query_value_request_packet)
         begin
           query_value_response = RubySMB::Dcerpc::Winreg::QueryValueResponse.read(response)
@@ -185,6 +193,10 @@ module RubySMB
       # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
       def query_info_key(handle)
         query_info_key_request_packet = RubySMB::Dcerpc::Winreg::QueryInfoKeyRequest.new(hkey: handle)
+        query_info_key_request_packet.lp_class = ''
+        query_info_key_request_packet.lp_class.referent.actual_count = 0
+        query_info_key_request_packet.lp_class.maximum_length = 1024
+        query_info_key_request_packet.lp_class.buffer.referent.max_count = 1024 / 2
         response = dcerpc_request(query_info_key_request_packet)
         begin
           query_info_key_response = RubySMB::Dcerpc::Winreg::QueryInfoKeyResponse.read(response)
@@ -209,7 +221,9 @@ module RubySMB
       def enum_key(handle, index)
         enum_key_request_packet = RubySMB::Dcerpc::Winreg::EnumKeyRequest.new(hkey: handle, dw_index: index)
         enum_key_request_packet.lpft_last_write_time = 0
-        enum_key_request_packet.lp_class.referent.buffer = 0
+        enum_key_request_packet.lp_class = ''
+        enum_key_request_packet.lp_class.referent.buffer = :null
+        enum_key_request_packet.lp_name.buffer = ''
         enum_key_request_packet.lp_name.buffer.referent.max_count = 256
         response = dcerpc_request(enum_key_request_packet)
         begin
@@ -234,7 +248,7 @@ module RubySMB
       # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
       def enum_value(handle, index)
         enum_value_request_packet = RubySMB::Dcerpc::Winreg::EnumValueRequest.new(hkey: handle, dw_index: index)
-        enum_value_request_packet.lp_data.referent_identifier = 0
+        enum_value_request_packet.lp_value_name.buffer = ''
         enum_value_request_packet.lp_value_name.buffer.referent.max_count = 256
         response = dcerpc_request(enum_value_request_packet)
         begin
@@ -250,13 +264,72 @@ module RubySMB
         enum_value_response.lp_value_name.to_s
       end
+      # Creates the specified registry key and returns a handle to the newly created key
+      #
+      # @param handle [Ndr::NdrContextHandle] the handle for the key
+      # @param sub_key [String] the name of the key
+      # @param opts [Hash] options for the CreateKeyRequest
+      # @return [RubySMB::Dcerpc::Winreg::PrpcHkey] the handle to the opened or created key
+      # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a CreateKeyResponse packet
+      # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
+      def create_key(handle, sub_key, opts = {})
+        opts = {
+          hkey:                   handle,
+          lp_sub_key:             sub_key,
+          lp_class:               opts[:lp_class] || :null,
+          dw_options:             opts[:dw_options] || RubySMB::Dcerpc::Winreg::CreateKeyRequest::REG_KEY_TYPE_VOLATILE,
+          sam_desired:            opts[:sam_desired] || RubySMB::Dcerpc::Winreg::Regsam.new(maximum: 1),
+          lp_security_attributes: opts[:lp_security_attributes] || RubySMB::Dcerpc::RpcSecurityAttributes.new,
+          lpdw_disposition:       opts[:lpdw_disposition] || RubySMB::Dcerpc::Winreg::CreateKeyRequest::REG_CREATED_NEW_KEY,
+        }
+        create_key_request_packet = RubySMB::Dcerpc::Winreg::CreateKeyRequest.new(opts)
+        response = dcerpc_request(create_key_request_packet)
+        begin
+          create_key_response = RubySMB::Dcerpc::Winreg::CreateKeyResponse.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, "Error reading the CreateKey response"
+        end
+        unless create_key_response.error_status == WindowsError::Win32::ERROR_SUCCESS
+          raise RubySMB::Dcerpc::Error::WinregError, "Error returned when creating key #{sub_key}: "\
+            "#{WindowsError::Win32.find_by_retval(create_key_response.error_status.value).join(',')}"
+        end
+        create_key_response.hkey
+      end
+      # Saves the specified key, subkeys, and values to a new file
+      #
+      # @param handle [Ndr::NdrContextHandle] the handle for the key
+      # @param file_name [String] the name of the registry file in which the specified key and subkeys are to be saved
+      # @param opts [Hash] options for the SaveKeyRequest
+      # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a SaveKeyResponse packet
+      # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
+      def save_key(handle, file_name, opts = {})
+        opts = {
+          hkey:                   handle,
+          lp_file:                file_name,
+          lp_security_attributes: opts[:lp_security_attributes] || :null,
+        }
+        save_key_request_packet = RubySMB::Dcerpc::Winreg::SaveKeyRequest.new(opts)
+        response = dcerpc_request(save_key_request_packet)
+        begin
+          save_key_response = RubySMB::Dcerpc::Winreg::SaveKeyResponse.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, "Error reading the SaveKeyResponse response"
+        end
+        unless save_key_response.error_status == WindowsError::Win32::ERROR_SUCCESS
+          raise RubySMB::Dcerpc::Error::WinregError, "Error returned when saving key to #{file_name}: "\
+            "#{WindowsError::Win32.find_by_retval(save_key_response.error_status.value).join(',')}"
+        end
+      end
       # Checks if the specified registry key exists. It returns true if it
       # exists, false otherwise.
       #
       # @param key [String] the registry key to check
       # @return [Boolean]
-      def has_registry_key?(key)
-        bind(endpoint: RubySMB::Dcerpc::Winreg)
+      def has_registry_key?(key, bind: true)
+        bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
         root_key, sub_key = key.gsub(/\//, '\\').split('\\', 2)
         begin
@@ -265,8 +338,10 @@ module RubySMB
         rescue RubySMB::Dcerpc::Error::WinregError
           return false
         end
-        close_key(subkey_handle)
         return true
+      ensure
+        close_key(subkey_handle) if subkey_handle
+        close_key(root_key_handle) if root_key_handle
       end
       # Retrieve the data associated with the named value of a specified
@@ -275,15 +350,17 @@ module RubySMB
       # @param key [String] the registry key
       # @param value_name [String] the name of the value to read
       # @return [String] the data of the value entry
-      def read_registry_key_value(key, value_name)
-        bind(endpoint: RubySMB::Dcerpc::Winreg)
+      def read_registry_key_value(key, value_name, bind: true)
+        bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
         root_key, sub_key = key.gsub(/\//, '\\').split('\\', 2)
         root_key_handle = open_root_key(root_key)
         subkey_handle = open_key(root_key_handle, sub_key)
         value = query_value(subkey_handle, value_name)
-        close_key(subkey_handle)
         value
+      ensure
+        close_key(subkey_handle) if subkey_handle
+        close_key(root_key_handle) if root_key_handle
       end
       # Enumerate the subkeys of a specified registry key. If only a root key
@@ -291,8 +368,8 @@ module RubySMB
       #
       # @param key [String] the registry key
       # @return [Array<String>] the subkeys
-      def enum_registry_key(key)
-        bind(endpoint: RubySMB::Dcerpc::Winreg)
+      def enum_registry_key(key, bind: true)
+        bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
         root_key, sub_key = key.gsub(/\//, '\\').split('\\', 2)
         root_key_handle = open_root_key(root_key)
@@ -307,16 +384,18 @@ module RubySMB
         key_count.times do |i|
           enum_result << enum_key(subkey_handle, i)
         end
-        close_key(subkey_handle)
         enum_result
+      ensure
+        close_key(subkey_handle) if subkey_handle
+        close_key(root_key_handle) if root_key_handle
       end
       # Enumerate the values for the specified registry key.
       #
       # @param key [String] the registry key
       # @return [Array<String>] the values
-      def enum_registry_values(key)
-        bind(endpoint: RubySMB::Dcerpc::Winreg)
+      def enum_registry_values(key, bind: true)
+        bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
         root_key, sub_key = key.gsub(/\//, '\\').split('\\', 2)
         root_key_handle = open_root_key(root_key)
@@ -331,8 +410,10 @@ module RubySMB
         value_count.times do |i|
           enum_result << enum_value(subkey_handle, i)
         end
-        close_key(subkey_handle)
         enum_result
+      ensure
+        close_key(subkey_handle) if subkey_handle
+        close_key(root_key_handle) if root_key_handle
       end
     end

data/lib/ruby_smb/dcerpc/winreg/create_key_request.rb ADDED

@@ -0,0 +1,73 @@
+module RubySMB
+  module Dcerpc
+    module Winreg
+      class RpcHkey < Ndr::NdrContextHandle; end
+      # This class represents a BaseRegCreateKey Request Packet as defined in
+      # [3.1.5.7 BaseRegCreateKey (Opnum 6)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/c7186ae2-1c82-45e9-933b-97d9873657e8)
+      class CreateKeyRequest < BinData::Record
+        # Options:
+        # bitwise OR of one of the key types (REG_KEY_TYPE_*), and any or none
+        # of the other options:
+        #
+        # This key is not volatile. The key and all its values MUST be
+        # persisted to the backing store and is preserved when the registry
+        # server loses context due to a computer restart, reboot, or shut down
+        # process.
+        REG_KEY_TYPE_NON_VOLATILE  = 0x00000000
+        # This key is volatile. The key with all its subkeys and values MUST
+        # NOT be preserved when the registry server loses context due to a
+        # computer restart, reboot, or shut down process.
+        REG_KEY_TYPE_VOLATILE      = 0x00000001
+        # This key is a symbolic link to another key.
+        REG_KEY_TYPE_SYMLINK       = 0x00000002
+        # Indicates that the caller wishes to assert its backup and/or restore
+        # privileges.
+        REG_OPTION_BACKUP_RESTORE  = 0x00000004
+        # Indicates that the caller wishes to open the targeted symlink source
+        # rather than the symlink target.
+        REG_OPTION_OPEN_LINK       = 0x00000008
+        # Indicates that the caller wishes to disable limited user access
+        # virtualization for this operation.
+        REG_OPTION_DONT_VIRTUALIZE = 0x00000010
+        # Create disposition:
+        # The key did not exist and was created.
+        REG_CREATED_NEW_KEY     = 0x00000001
+        # The key already existed and was opened without being changed.
+        REG_OPENED_EXISTING_KEY = 0x00000002
+        attr_reader :opnum
+        endian :little
+        rpc_hkey                 :hkey
+        rrp_unicode_string       :lp_sub_key
+        string                   :pad1, length: -> { pad_length(self.lp_sub_key) }
+        rrp_unicode_string       :lp_class
+        string                   :pad2, length: -> { pad_length(self.lp_class) }
+        uint32                   :dw_options
+        regsam                   :sam_desired
+        prpc_security_attributes :lp_security_attributes
+        string                   :pad3, length: -> { pad_length(self.lp_security_attributes) }
+        ndr_lp_dword             :lpdw_disposition
+        def initialize_instance
+          super
+          @opnum = REG_CREATE_KEY
+        end
+        # Determines the correct length for the padding, so that the next
+        # field is 4-byte aligned.
+        def pad_length(prev_element)
+          offset = (prev_element.abs_offset + prev_element.to_binary_s.length) % 4
+          (4 - offset) % 4
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/winreg/create_key_response.rb ADDED

@@ -0,0 +1,36 @@
+module RubySMB
+  module Dcerpc
+    module Winreg
+      class PrpcHkey < Ndr::NdrContextHandle; end
+      # This class represents a BaseRegCreateKey Response Packet as defined in
+      # [3.1.5.7 BaseRegCreateKey (Opnum 6)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/c7186ae2-1c82-45e9-933b-97d9873657e8)
+      class CreateKeyResponse < BinData::Record
+        # Create disposition
+        # The key did not exist and was created.
+        REG_CREATED_NEW_KEY     = 0x00000001
+        # The key already existed and was opened without being changed.
+        REG_OPENED_EXISTING_KEY = 0x00000002
+        attr_reader :opnum
+        endian :little
+        prpc_hkey    :hkey
+        ndr_lp_dword :lpdw_disposition
+        uint32       :error_status
+        def initialize_instance
+          super
+          @opnum = REG_CREATE_KEY
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/winreg/enum_key_request.rb CHANGED

@@ -13,7 +13,7 @@ module RubySMB
         rpc_hkey            :hkey
         uint32              :dw_index
-        rrp_unicode_string  :lp_name
+        rrp_unicode_string :lp_name
         string              :pad1,     length: -> { pad_length1 }
         prrp_unicode_string :lp_class
         string              :pad2,     length: -> { pad_length2 }

data/lib/ruby_smb/dcerpc/winreg/enum_value_request.rb CHANGED

@@ -16,7 +16,7 @@ module RubySMB
         rrp_unicode_string :lp_value_name
         string             :pad, length: -> { pad_length }
         ndr_lp_dword       :lp_type
-        ndr_lp_byte        :lp_data
+        ndr_lp_byte_array  :lp_data
         ndr_lp_dword       :lpcb_data
         ndr_lp_dword       :lpcb_len

data/lib/ruby_smb/dcerpc/winreg/enum_value_response.rb CHANGED

@@ -12,7 +12,7 @@ module RubySMB
         rrp_unicode_string :lp_value_name
         string             :pad, length: -> { pad_length }
         ndr_lp_dword       :lp_type
-        ndr_lp_byte        :lp_data
+        ndr_lp_byte_array  :lp_data
         ndr_lp_dword       :lpcb_data
         ndr_lp_dword       :lpcb_len
         uint32             :error_status

data/lib/ruby_smb/dcerpc/winreg/open_root_key_request.rb CHANGED

@@ -4,10 +4,10 @@ module RubySMB
       # This class represents a PREGISTRY_SERVER_NAME structure as defined in
       # [2.2.2 PREGISTRY_SERVER_NAME](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/8bcd15fd-1aa5-44e2-8662-112ec3e9817b)
-      class PRegistryServerName < Ndr::NdrTopLevelFullPointer
+      class PRegistryServerName < Ndr::NdrPointer
         endian :little
-        string16 :referent, read_length: -> { 4 }
+        string16 :referent, onlyif: -> { self.referent_id != 0 }, read_length: -> { 4 }
       end
       # This class is a generic class that represents OpenXXX Request packet,
@@ -33,8 +33,8 @@ module RubySMB
         def initialize_instance
           super
           @opnum = get_parameter(:opnum) if has_parameter?(:opnum)
-          p_registry_server_name.referent = "\0\0"
-          sam_desired.maximum = 1 unless [OPEN_HKPD, OPEN_HKPT, OPEN_HKPN].include?(@opnum)
+          self.p_registry_server_name = :null
+          self.sam_desired.maximum = 1 unless [OPEN_HKPD, OPEN_HKPT, OPEN_HKPN].include?(@opnum)
         end
       end

data/lib/ruby_smb/dcerpc/winreg/query_info_key_request.rb CHANGED

@@ -12,7 +12,7 @@ module RubySMB
         endian :little
         rpc_hkey           :hkey
-        rrp_unicode_string :lp_class, initial_value: 0
+        rrp_unicode_string :lp_class
         def initialize_instance
           super