ruby_smb 3.3.5 → 3.3.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b89cb4c288acaa9a8a0b92a92051e3d441f8a0221d4fd07d8e450a100e60c9f3
-  data.tar.gz: '08ea52772ee67282ccc7bc1fd488e6ef7eb486960086c69aa8bff8945c67fe2f'
+  metadata.gz: 228afeef84601354373c132ceaa48341ed9f5f4bbab4e625c37d2f2d71864146
+  data.tar.gz: 71512d0529ba352d0cc0ee7c27a27e03116d50f31801beed3fd04cb19e73f4ff
 SHA512:
-  metadata.gz: 3051889e91d780f88b08bfca39078bd25b00b9e8ef0eabd61e9e22a1636a2d760add5fc6e57b3316a500072ff0029f4c4f0485f3a3c52db80b9626c0458d5e6e
-  data.tar.gz: 7f212f644989208c3d2d319e90be6bba3796abac64f458d41edcb56423afccf7cca307a88ef2d0eb55ddcd074b9c69d8c1bca2800965644ef01a160ab069c22f
+  metadata.gz: 3c7dede328c8d637b9088da518649deba6d758a1093e3591bb0cd9e2f4c458a5c5a82a37640aa14523586aa6e83b61d59d4fab21d3fa33739c47d687367cede3
+  data.tar.gz: 6c72f0673379264f71a55935dec05f13f195614c9cd8d6f44935687ab028545e233496ad04f4157a07d1f5f74092fac8dd43f69713d2ac1aeeb7006a12c47e21

data/examples/registry_key_security_descriptor.rb

@@ -0,0 +1,109 @@
+#!/usr/bin/ruby
+
+# This example script is used for testing the Winreg registry key security descriptor functionalities.
+# It will attempt to connect to a host and reads (or writes) the security descriptor of a specified registry key.
+#
+# Example usage:
+# - read:
+# ruby examples/read_registry_key_security.rb --username msfadmin --password msfadmin -i 7 -o r 192.168.172.138 'HKLM\SECURITY\Policy\PolEKList'
+# This will try to connect to \\192.168.172.138 with the msfadmin:msfadmin
+# credentialas and read the security descriptor of the
+# `HKLM\SECURITY\Policy\PolEKList` registry key with the security information 7
+# (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
+# DACL_SECURITY_INFORMATION).
+#
+# - write:
+# ruby examples/read_registry_key_security.rb --username msfadmin --password msfadmin -i 4 --sd 01000480000000000000000000000000140000000200340002000000000214003f000f00010100000000000512000000000218000000060001020000000000052000000020020000 -o w 192.168.172.138 'HKLM\SECURITY\Policy\PolEKList'
+# This will try to connect to \\192.168.172.138 with the msfadmin:msfadmin
+# credentialas and write the given security descriptor to the
+# `HKLM\SECURITY\Policy\PolEKList` registry key with the security information 4
+# (DACL_SECURITY_INFORMATION).
+
+require 'bundler/setup'
+require 'optparse'
+require 'ruby_smb'
+
+OPERATIONS = %w{read write}
+OPERATION_ALIASES = { "r" => "read", "w" => "write" }
+
+args = ARGV.dup
+options = {
+  domain: '.',
+  username: '',
+  password: '',
+  smbv1: true,
+  smbv2: true,
+  smbv3: true,
+  target: nil,
+  key: nil,
+  operation: 'read',
+  info: RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION | RubySMB::Field::SecurityDescriptor::GROUP_SECURITY_INFORMATION | RubySMB::Field::SecurityDescriptor::DACL_SECURITY_INFORMATION,
+  sd: nil
+}
+options[:key] = args.pop
+options[:target ] = args.pop
+optparser = OptionParser.new do |opts|
+  opts.banner = "Usage: #{File.basename(__FILE__)} [options] target reg_key"
+  opts.on('--[no-]smbv1', "Enable or disable SMBv1 (default: #{options[:smbv1] ? 'Enabled' : 'Disabled'})") do |smbv1|
+    options[:smbv1] = smbv1
+  end
+  opts.on('--[no-]smbv2', "Enable or disable SMBv2 (default: #{options[:smbv2] ? 'Enabled' : 'Disabled'})") do |smbv2|
+    options[:smbv2] = smbv2
+  end
+  opts.on('--[no-]smbv3', "Enable or disable SMBv3 (default: #{options[:smbv3] ? 'Enabled' : 'Disabled'})") do |smbv3|
+    options[:smbv3] = smbv3
+  end
+  opts.on('-u', '--username [USERNAME]', "The account's username (default: #{options[:username]})") do |username|
+    if username.include?('\\')
+      options[:domain], options[:username] = username.split('\\', 2)
+    else
+      options[:username] = username
+    end
+  end
+  opts.on('-p', '--password [PASSWORD]', "The account's password (default: #{options[:password]})") do |password|
+    options[:password] = password
+  end
+  operation_list = (OPERATION_ALIASES.keys + OPERATIONS).join(', ')
+  opts.on('-o', '--operation OPERATION', OPERATIONS, OPERATION_ALIASES, "The operation to perform on the registry key (default: #{options[:operation]})", "(#{operation_list})") do |operation|
+    options[:operation] = operation
+  end
+  opts.on('-i', '--info [SECURITY INFORMATION]', Integer, "The security information value (default: #{options[:info]})") do |password|
+    options[:info] = password
+  end
+  opts.on('-s', '--sd [SECURITY DESCRIPTOR]', "The security descriptor to write as an hex string") do |sd|
+    options[:sd] = sd
+  end
+end
+optparser.parse!(args)
+
+if options[:target].nil? || options[:key].nil?
+  abort(optparser.help)
+end
+
+sock = TCPSocket.new options[:target], 445
+dispatcher = RubySMB::Dispatcher::Socket.new(sock)
+
+client = RubySMB::Client.new(dispatcher, smb1: options[:smbv1], smb2: options[:smbv2], smb3: options[:smbv3], username: options[:username], password: options[:password], domain: options[:domain])
+protocol = client.negotiate
+status = client.authenticate
+
+puts "#{protocol}: #{status}"
+
+case options[:operation]
+when 'read', 'r'
+  puts "Read registry key #{options[:key]} security descriptor with security information #{options[:info]}"
+  security_descriptor = client.get_key_security_descriptor(options[:target], options[:key], options[:info])
+  puts "Security descriptor: #{security_descriptor.b.bytes.map {|c| "%02x" % c.ord}.join}"
+when 'write', 'w'
+  unless options[:sd] && !options[:sd].empty?
+    puts "Security descriptor missing"
+    abort(optparser.help)
+  end
+  puts "Write security descriptor #{options[:sd]} to registry key #{options[:key]} with security information #{options[:info]}"
+  sd = options[:sd].chars.each_slice(2).map {|c| c.join.to_i(16).chr}.join
+  status = client.set_key_security_descriptor(options[:target], options[:key], sd, options[:info])
+  puts "Success!"
+end
+
+client.disconnect!
+

data/lib/ruby_smb/client/winreg.rb

@@ -40,6 +40,18 @@ module RubySMB
         end
       end
 
+      def get_key_security_descriptor(host, key, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION)
+        connect_to_winreg(host) do |named_pipe|
+          named_pipe.get_key_security_descriptor(key, security_information)
+        end
+      end
+
+      def set_key_security_descriptor(host, key, security_descriptor, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION)
+        connect_to_winreg(host) do |named_pipe|
+          named_pipe.set_key_security_descriptor(key, security_descriptor, security_information)
+        end
+      end
+
     end
   end
 end

data/lib/ruby_smb/dcerpc/ndr.rb

@@ -66,12 +66,16 @@ module RubySMB::Dcerpc::Ndr
   end
 
   # [Integers](https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_02_05)
-  # This will define the four size Integers accepted by the NDR protocol:
+  # This will define the eight Integers accepted by the NDR protocol:
+  # - NdrInt8
   # - NdrUint8
+  # - NdrInt16
   # - NdrUint16
+  # - NdrInt32
   # - NdrUint32
+  # - NdrInt64
   # - NdrUint64
-  {Uint8: 1, Uint16le: 2, Uint32le: 4, Uint64le: 8}.each do |klass, nb_bytes|
+  {Int8: 1, Uint8: 1, Int16le: 2, Uint16le: 2, Int32le: 4, Uint32le: 4, Int64le: 8, Uint64le: 8}.each do |klass, nb_bytes|
     new_klass_name = "Ndr#{klass.to_s.chomp('le')}"
     unless self.const_defined?(new_klass_name)
       new_klass = Class.new(BinData.const_get(klass)) do
@@ -563,8 +567,11 @@ module RubySMB::Dcerpc::Ndr
     def get_max_count(val)
       if is_a?(BinData::Stringz)
         max_count = val.to_s.strip.length
-        # Only count the terminating NULL byte if the string is not empty
-        max_count += 1 if max_count > 0
+        # Add one to count the terminator. According to
+        # https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04_02,
+        # the NDR String must contain at least one element, the terminator. So,
+        # add one even if it is an empty string.
+        max_count += 1
         return max_count
       else
         return val.to_s.length
@@ -618,8 +625,11 @@ module RubySMB::Dcerpc::Ndr
     def update_actual_count(val)
       if is_a?(BinData::Stringz)
         @actual_count = val.to_s.strip.length
-        # Only count the terminating NULL byte if the string is not empty
-        @actual_count += 1 if @actual_count > 0
+        # Add one to count the terminator. According to
+        # https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04,
+        # the NDR String must contain at least one element, the terminator. So,
+        # add one even if it is an empty string.
+        @actual_count += 1
       else
         @actual_count = val.to_s.length
       end

data/lib/ruby_smb/dcerpc/request.rb

@@ -18,22 +18,24 @@ module RubySMB
       choice :stub, label: 'Stub', selection: -> { @obj.parent.get_parameter(:endpoint) || '' } do
         string 'Encrypted'
         choice 'Winreg', selection: -> { opnum } do
-          open_root_key_request  Winreg::OPEN_HKCR, opnum: Winreg::OPEN_HKCR
-          open_root_key_request  Winreg::OPEN_HKCU, opnum: Winreg::OPEN_HKCU
-          open_root_key_request  Winreg::OPEN_HKLM, opnum: Winreg::OPEN_HKLM
-          open_root_key_request  Winreg::OPEN_HKPD, opnum: Winreg::OPEN_HKPD
-          open_root_key_request  Winreg::OPEN_HKU,  opnum: Winreg::OPEN_HKU
-          open_root_key_request  Winreg::OPEN_HKCC, opnum: Winreg::OPEN_HKCC
-          open_root_key_request  Winreg::OPEN_HKPT, opnum: Winreg::OPEN_HKPT
-          open_root_key_request  Winreg::OPEN_HKPN, opnum: Winreg::OPEN_HKPN
-          close_key_request      Winreg::REG_CLOSE_KEY
-          enum_key_request       Winreg::REG_ENUM_KEY
-          enum_value_request     Winreg::REG_ENUM_VALUE
-          open_key_request       Winreg::REG_OPEN_KEY
-          query_info_key_request Winreg::REG_QUERY_INFO_KEY
-          query_value_request    Winreg::REG_QUERY_VALUE
-          create_key_request     Winreg::REG_CREATE_KEY
-          save_key_request       Winreg::REG_SAVE_KEY
+          open_root_key_request     Winreg::OPEN_HKCR, opnum: Winreg::OPEN_HKCR
+          open_root_key_request     Winreg::OPEN_HKCU, opnum: Winreg::OPEN_HKCU
+          open_root_key_request     Winreg::OPEN_HKLM, opnum: Winreg::OPEN_HKLM
+          open_root_key_request     Winreg::OPEN_HKPD, opnum: Winreg::OPEN_HKPD
+          open_root_key_request     Winreg::OPEN_HKU,  opnum: Winreg::OPEN_HKU
+          open_root_key_request     Winreg::OPEN_HKCC, opnum: Winreg::OPEN_HKCC
+          open_root_key_request     Winreg::OPEN_HKPT, opnum: Winreg::OPEN_HKPT
+          open_root_key_request     Winreg::OPEN_HKPN, opnum: Winreg::OPEN_HKPN
+          close_key_request         Winreg::REG_CLOSE_KEY
+          enum_key_request          Winreg::REG_ENUM_KEY
+          enum_value_request        Winreg::REG_ENUM_VALUE
+          open_key_request          Winreg::REG_OPEN_KEY
+          query_info_key_request    Winreg::REG_QUERY_INFO_KEY
+          query_value_request       Winreg::REG_QUERY_VALUE
+          create_key_request        Winreg::REG_CREATE_KEY
+          save_key_request          Winreg::REG_SAVE_KEY
+          get_key_security_request  Winreg::REG_GET_KEY_SECURITY
+          set_key_security_request  Winreg::REG_SET_KEY_SECURITY
           string                 :default
         end
         choice 'Netlogon', selection: -> { opnum } do
@@ -74,6 +76,7 @@ module RubySMB
           samr_create_user2_in_domain_request          Samr::SAMR_CREATE_USER2_IN_DOMAIN
           samr_set_information_user2_request           Samr::SAMR_SET_INFORMATION_USER2
           samr_delete_user_request                     Samr::SAMR_DELETE_USER
+          samr_query_information_domain_request        Samr::SAMR_QUERY_INFORMATION_DOMAIN
           string                                       :default
         end
         choice 'Wkssvc', selection: -> { opnum } do

data/lib/ruby_smb/dcerpc/rrp_rpc_unicode_string.rb

@@ -20,7 +20,7 @@ module RubySMB
         when BinData::Stringz, BinData::String, String
           self.buffer = val.to_s
           val_length = val.strip.length
-          val_length += 1 unless val == ''
+          val_length += 1
           self.buffer_length = val_length * 2
           self.maximum_length = val_length * 2
         else

data/lib/ruby_smb/dcerpc/samr/sampr_domain_info_buffer.rb

@@ -0,0 +1,151 @@
+module RubySMB
+  module Dcerpc
+    module Samr
+      # [2.2.3.5 DOMAIN_PASSWORD_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/0ae356d8-c220-4706-846e-ebbdc6fabdcb)
+      class SamprDomainPasswordInformation < Ndr::NdrStruct
+        default_parameters byte_align: 4
+        endian :little
+
+        ndr_uint16 :min_password_length
+        ndr_uint16 :password_history_length
+        ndr_uint32 :password_properties
+        ndr_int64  :max_password_age
+        ndr_int64  :min_password_age
+      end
+
+      # [2.2.3.12 SAMPR_DOMAIN_OEM_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/7cbb7ff0-e593-440d-8341-a3435195cdf1)
+      class SamprDomainOemInformation < Ndr::NdrStruct
+        default_parameters byte_align: 4
+        endian :little
+
+        rpc_unicode_string :oem_information
+      end
+
+      # [2.2.3.7 DOMAIN_SERVER_ROLE_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/cb0e586a-29c8-49b2-8ced-c273a7476c22)
+      class SamprDomainServerRoleInformation < Ndr::NdrStruct
+        default_parameters byte_align: 4
+        endian :little
+
+        ndr_uint16 :domain_server_role
+      end
+
+      # [2.2.3.15 SAMPR_DOMAIN_LOCKOUT_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/c9d789ed-c54a-4450-be56-251e627e1f52)
+      class SamprDomainLockoutInformation < Ndr::NdrStruct
+        default_parameters byte_align: 4
+        endian :little
+
+        ndr_uint64  :lockout_duration
+        ndr_uint64  :lockout_observation_window
+        ndr_uint16  :lockout_threshold
+      end
+
+      # [2.2.3.10 SAMPR_DOMAIN_GENERAL_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/85973e1c-96f2-4c80-8135-b24d74ad7794)
+      class SamprDomainGeneralInformation < Ndr::NdrStruct
+        default_parameters byte_align: 4
+        endian :little
+
+        ndr_int64          :force_logoff
+        rpc_unicode_string :oem_information
+        rpc_unicode_string :domain_name
+        rpc_unicode_string :replica_source_node_name
+        ndr_int64          :domain_modified_count
+        ndr_uint32         :domain_server_state
+        ndr_uint32         :domain_server_role
+        ndr_uint8          :uas_compatibility_required
+        ndr_uint32         :user_count
+        ndr_uint32         :group_count
+        ndr_uint32         :alias_count
+      end
+
+      # [2.2.3.6 DOMAIN_LOGOFF_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6fb0bbea-888c-4353-b5f8-75e7862344be)
+      class SamprDomainLogoffInformation < Ndr::NdrStruct
+        default_parameters byte_align: 4
+        endian :little
+
+        ndr_int64  :force_logoff
+      end
+
+      # [2.2.3.13 SAMPR_DOMAIN_NAME_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/5131d2c0-04c7-4c1b-8fd5-0b0b6cfa6c24)
+      class SamprDomainNameInformation < Ndr::NdrStruct
+        default_parameters byte_align: 4
+        endian :little
+
+        rpc_unicode_string :domain_name
+      end
+
+      # [2.2.3.8 DOMAIN_MODIFIED_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e1da9680-8968-423b-98c0-fbdcf1535ef9)
+      class SamprDomainModifiedInformation < Ndr::NdrStruct
+        default_parameters byte_align: 4
+        endian :little
+
+        ndr_int64 :domain_modified_count
+        ndr_int64 :creation_time
+      end
+
+      # [2.2.3.9 DOMAIN_MODIFIED_INFORMATION2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/47eea81b-5fee-4925-b5c1-fc594dcc8dff)
+      class SamprDomainModifiedInformation2 < Ndr::NdrStruct
+        default_parameters byte_align: 4
+        endian :little
+
+        ndr_int64 :domain_modified_count
+        ndr_int64 :creation_time
+        ndr_int64 :modified_count_at_last_promotion
+      end
+
+      # [2.2.3.3 DOMAIN_STATE_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/f224edcf-8d4e-4294-b0c3-b0eda384c402)
+      class SamprDomainStateInformation < Ndr::NdrStruct
+        default_parameters byte_align: 4
+        endian :little
+
+        ndr_uint16 :domain_server_state
+      end
+
+      # [2.2.3.11 SAMPR_DOMAIN_GENERAL_INFORMATION2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/9a663cf2-0923-4959-b2c5-2e25c19735ff)
+      class SamprDomainGeneralInformation2 < Ndr::NdrStruct
+        default_parameters byte_align: 4
+        endian :little
+
+        sampr_domain_general_information :i1
+        ndr_uint64  :lockout_duration
+        ndr_uint64  :lockout_observation_window
+        ndr_uint16  :lockout_threshold
+      end
+
+      # [2.2.3.14 SAMPR_DOMAIN_REPLICATION_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/c9293797-e11d-4098-be12-bf9e1de91f20)
+      class SamprDomainReplicationInformation < Ndr::NdrStruct
+        default_parameters byte_align: 4
+        endian :little
+
+        rpc_unicode_string :replica_node_name
+      end
+
+      # [2.2.3.17 SAMPR_DOMAIN_INFO_BUFFER](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/1adc2142-dbb8-4554-aa24-010c713698bf)
+      class SamprDomainInfoBuffer < BinData::Record
+        default_parameters byte_align: 4
+        endian :little
+
+        uint16 :info_class
+        skip   length: 2
+
+        choice :buffer, selection: :info_class do
+          sampr_domain_password_information    DOMAIN_PASSWORD_INFORMATION
+          sampr_domain_oem_information         DOMAIN_OEM_INFORMATION
+          sampr_domain_server_role_information DOMAIN_SERVER_ROLE_INFORMATION
+          sampr_domain_lockout_information     DOMAIN_LOCKOUT_INFORMATION
+          sampr_domain_logoff_information      DOMAIN_LOGOFF_INFORMATION
+          sampr_domain_general_information     DOMAIN_GENERAL_INFORMATION
+          sampr_domain_name_information        DOMAIN_NAME_INFORMATION
+          sampr_domain_modified_information    DOMAIN_MODIFIED_INFORMATION
+          sampr_domain_modified_information2   DOMAIN_MODIFIED_INFORMATION2
+          sampr_domain_state_information       DOMAIN_STATE_INFORMATION
+          sampr_domain_general_information2    DOMAIN_GENERAL_INFORMATION2
+          sampr_domain_replication_information DOMAIN_REPLICATION_INFORMATION
+        end
+      end
+
+      class PsamprDomainInfoBuffer < SamprDomainInfoBuffer
+        extend Ndr::PointerClassPlugin
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/samr/samr_query_information_domain_request.rb

@@ -0,0 +1,22 @@
+module RubySMB
+  module Dcerpc
+    module Samr
+
+      # [3.1.5.5.2 SamrQueryInformationDomain (Opnum 8)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/5d6a2817-caa9-41ca-a269-fd13ecbb4fa8)
+      class SamrQueryInformationDomainRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        sampr_handle :domain_handle
+        ndr_uint16   :domain_information_class
+
+        def initialize_instance
+          super
+          @opnum = SAMR_QUERY_INFORMATION_DOMAIN
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/samr/samr_query_information_domain_response.rb

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Samr
+
+      # [3.1.5.5.2 SamrQueryInformationDomain (Opnum 8)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/5d6a2817-caa9-41ca-a269-fd13ecbb4fa8)
+      class SamrQueryInformationDomainResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        psampr_domain_info_buffer :buffer
+        ndr_uint32                :error_status
+
+        def initialize_instance
+          super
+          @opnum = SAMR_QUERY_INFORMATION_DOMAIN
+        end
+      end
+
+    end
+  end
+end
+

data/lib/ruby_smb/dcerpc/samr.rb

@@ -16,6 +16,7 @@ module RubySMB
       SAMR_LOOKUP_DOMAIN_IN_SAM_SERVER     = 0x0005
       SAMR_ENUMERATE_DOMAINS_IN_SAM_SERVER = 0x0006
       SAMR_OPEN_DOMAIN                     = 0x0007
+      SAMR_QUERY_INFORMATION_DOMAIN        = 0x0008
       SAMR_ENUMERATE_USERS_IN_DOMAIN       = 0x000D
       SAMR_GET_ALIAS_MEMBERSHIP            = 0x0010
       SAMR_LOOKUP_NAMES_IN_DOMAIN          = 0x0011
@@ -139,6 +140,20 @@ module RubySMB
       USER_ALL_SECURITYDESCRIPTOR  = 0x10000000
       USER_ALL_UNDEFINED_MASK      = 0xC0000000
 
+      # [2.2.3.16 DOMAIN_INFORMATION_CLASS Values](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6)
+      DOMAIN_PASSWORD_INFORMATION    = 1
+      DOMAIN_GENERAL_INFORMATION     = 2
+      DOMAIN_LOGOFF_INFORMATION      = 3
+      DOMAIN_OEM_INFORMATION         = 4
+      DOMAIN_NAME_INFORMATION        = 5
+      DOMAIN_REPLICATION_INFORMATION = 6
+      DOMAIN_SERVER_ROLE_INFORMATION = 7
+      DOMAIN_MODIFIED_INFORMATION    = 8
+      DOMAIN_STATE_INFORMATION       = 9
+      DOMAIN_GENERAL_INFORMATION2    = 11
+      DOMAIN_LOCKOUT_INFORMATION     = 12
+      DOMAIN_MODIFIED_INFORMATION2   = 13
+
       # [2.2.6.28 USER_INFORMATION_CLASS Values](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6)
       USER_GENERAL_INFORMATION       = 1
       USER_PREFERENCES_INFORMATION   = 2
@@ -474,6 +489,7 @@ module RubySMB
       end
 
       require 'ruby_smb/dcerpc/samr/rpc_sid'
+      require 'ruby_smb/dcerpc/samr/sampr_domain_info_buffer'
 
       require 'ruby_smb/dcerpc/samr/samr_connect_request'
       require 'ruby_smb/dcerpc/samr/samr_connect_response'
@@ -503,6 +519,8 @@ module RubySMB
       require 'ruby_smb/dcerpc/samr/samr_set_information_user2_response'
       require 'ruby_smb/dcerpc/samr/samr_delete_user_request'
       require 'ruby_smb/dcerpc/samr/samr_delete_user_response'
+      require 'ruby_smb/dcerpc/samr/samr_query_information_domain_request'
+      require 'ruby_smb/dcerpc/samr/samr_query_information_domain_response'
 
       # Returns a handle to a server object.
       #
@@ -979,7 +997,30 @@ module RubySMB
         samr_get_groups_for_user_reponse.groups.groups.to_ary
       end
 
+      # Returns domain information.
+      #
+      # @param domain_handle [RubySMB::Dcerpc::Samr::SamprHandle] An RPC context
+      #   representing a domain object
+      # @param info_class [Integer] The class of information to retrieve
+      # @return [BinData::Choice] The requested information.
+      def samr_query_information_domain(domain_handle:, info_class:)
+        samr_request = SamrQueryInformationDomainRequest.new(
+          domain_handle: domain_handle,
+          domain_information_class: info_class
+        )
+        response = dcerpc_request(samr_request)
+        begin
+          samr_response = SamrQueryInformationDomainResponse.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading SamrQueryInformationDomainResponse'
+        end
+        unless samr_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Dcerpc::Error::SamrError,
+            "Error returned while querying domain information: "\
+            "#{WindowsError::NTStatus.find_by_retval(samr_response.error_status.value).join(',')}"
+        end
+        samr_response.buffer.buffer
+      end
     end
   end
 end
-

data/lib/ruby_smb/dcerpc/winreg/get_key_security_request.rb

@@ -0,0 +1,26 @@
+module RubySMB
+  module Dcerpc
+    module Winreg
+
+      # This class represents a GetKeySecurity Request Packet as defined in
+      # [3.1.5.13 BaseRegGetKeySecurity (Opnum 12)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/b0e1868c-f4fd-4b43-959f-c0f0cac3ee26)
+      class GetKeySecurityRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        rpc_hkey                :hkey
+        uint32                  :security_information
+        rpc_security_descriptor :prpc_security_descriptor_in
+
+        def initialize_instance
+          super
+          @opnum = REG_GET_KEY_SECURITY
+        end
+      end
+
+    end
+  end
+end
+
+

data/lib/ruby_smb/dcerpc/winreg/get_key_security_response.rb

@@ -0,0 +1,26 @@
+module RubySMB
+  module Dcerpc
+    module Winreg
+
+      # This class represents a GetKeySecurity Response Packet as defined in
+      # [3.1.5.13 BaseRegGetKeySecurity (Opnum 12)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/b0e1868c-f4fd-4b43-959f-c0f0cac3ee26)
+      class GetKeySecurityResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        rpc_security_descriptor :prpc_security_descriptor_out
+        ndr_uint32              :error_status
+
+        def initialize_instance
+          super
+          @opnum = REG_GET_KEY_SECURITY
+        end
+      end
+
+    end
+  end
+end
+
+
+

data/lib/ruby_smb/dcerpc/winreg/query_value_response.rb

@@ -25,6 +25,8 @@ module RubySMB
         def data
           bytes = lp_data.to_a.pack('C*')
           case lp_type
+          when 0 # 0 is undefined type, let's consider an array of bytes
+            bytes
           when 1,2
             bytes.force_encoding('utf-16le').strip
           when 3

data/lib/ruby_smb/dcerpc/winreg/set_key_security_request.rb

@@ -0,0 +1,26 @@
+module RubySMB
+  module Dcerpc
+    module Winreg
+
+      # This class represents a SetKeySecurity Request Packet as defined in
+      # [3.1.5.21 BaseRegSetKeySecurity (Opnum 21)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/da18856c-8a6d-4217-8e93-3625865e562c)
+      class SetKeySecurityRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        rpc_hkey                :hkey
+        uint32                  :security_information
+        rpc_security_descriptor :prpc_security_descriptor
+
+        def initialize_instance
+          super
+          @opnum = REG_SET_KEY_SECURITY
+        end
+      end
+
+    end
+  end
+end
+
+

data/lib/ruby_smb/dcerpc/winreg/set_key_security_response.rb

@@ -0,0 +1,25 @@
+module RubySMB
+  module Dcerpc
+    module Winreg
+
+      # This class represents a SetKeySecurity Response Packet as defined in
+      # [3.1.5.21 BaseRegSetKeySecurity (Opnum 21)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/da18856c-8a6d-4217-8e93-3625865e562c)
+      class SetKeySecurityResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_uint32 :error_status
+
+        def initialize_instance
+          super
+          @opnum = REG_SET_KEY_SECURITY
+        end
+      end
+
+    end
+  end
+end
+
+
+