ruby_smb 3.3.6 → 3.3.8

data/lib/ruby_smb/dcerpc/request.rb

@@ -18,22 +18,24 @@ module RubySMB
       choice :stub, label: 'Stub', selection: -> { @obj.parent.get_parameter(:endpoint) || '' } do
         string 'Encrypted'
         choice 'Winreg', selection: -> { opnum } do
-          open_root_key_request  Winreg::OPEN_HKCR, opnum: Winreg::OPEN_HKCR
-          open_root_key_request  Winreg::OPEN_HKCU, opnum: Winreg::OPEN_HKCU
-          open_root_key_request  Winreg::OPEN_HKLM, opnum: Winreg::OPEN_HKLM
-          open_root_key_request  Winreg::OPEN_HKPD, opnum: Winreg::OPEN_HKPD
-          open_root_key_request  Winreg::OPEN_HKU,  opnum: Winreg::OPEN_HKU
-          open_root_key_request  Winreg::OPEN_HKCC, opnum: Winreg::OPEN_HKCC
-          open_root_key_request  Winreg::OPEN_HKPT, opnum: Winreg::OPEN_HKPT
-          open_root_key_request  Winreg::OPEN_HKPN, opnum: Winreg::OPEN_HKPN
-          close_key_request      Winreg::REG_CLOSE_KEY
-          enum_key_request       Winreg::REG_ENUM_KEY
-          enum_value_request     Winreg::REG_ENUM_VALUE
-          open_key_request       Winreg::REG_OPEN_KEY
-          query_info_key_request Winreg::REG_QUERY_INFO_KEY
-          query_value_request    Winreg::REG_QUERY_VALUE
-          create_key_request     Winreg::REG_CREATE_KEY
-          save_key_request       Winreg::REG_SAVE_KEY
+          open_root_key_request     Winreg::OPEN_HKCR, opnum: Winreg::OPEN_HKCR
+          open_root_key_request     Winreg::OPEN_HKCU, opnum: Winreg::OPEN_HKCU
+          open_root_key_request     Winreg::OPEN_HKLM, opnum: Winreg::OPEN_HKLM
+          open_root_key_request     Winreg::OPEN_HKPD, opnum: Winreg::OPEN_HKPD
+          open_root_key_request     Winreg::OPEN_HKU,  opnum: Winreg::OPEN_HKU
+          open_root_key_request     Winreg::OPEN_HKCC, opnum: Winreg::OPEN_HKCC
+          open_root_key_request     Winreg::OPEN_HKPT, opnum: Winreg::OPEN_HKPT
+          open_root_key_request     Winreg::OPEN_HKPN, opnum: Winreg::OPEN_HKPN
+          close_key_request         Winreg::REG_CLOSE_KEY
+          enum_key_request          Winreg::REG_ENUM_KEY
+          enum_value_request        Winreg::REG_ENUM_VALUE
+          open_key_request          Winreg::REG_OPEN_KEY
+          query_info_key_request    Winreg::REG_QUERY_INFO_KEY
+          query_value_request       Winreg::REG_QUERY_VALUE
+          create_key_request        Winreg::REG_CREATE_KEY
+          save_key_request          Winreg::REG_SAVE_KEY
+          get_key_security_request  Winreg::REG_GET_KEY_SECURITY
+          set_key_security_request  Winreg::REG_SET_KEY_SECURITY
           string                 :default
         end
         choice 'Netlogon', selection: -> { opnum } do
@@ -109,6 +111,14 @@ module RubySMB
           efs_rpc_query_recovery_agents_request Efsrpc::EFS_RPC_QUERY_RECOVERY_AGENTS
           efs_rpc_query_users_on_file_request   Efsrpc::EFS_RPC_QUERY_USERS_ON_FILE
         end
+        choice 'Lsarpc', selection: -> { opnum } do
+          lsar_open_policy_request               Lsarpc::LSAR_OPEN_POLICY
+          lsar_open_policy2_request              Lsarpc::LSAR_OPEN_POLICY2
+          lsar_query_information_policy_request  Lsarpc::LSAR_QUERY_INFORMATION_POLICY
+          lsar_query_information_policy2_request Lsarpc::LSAR_QUERY_INFORMATION_POLICY2
+          lsar_close_handle_request              Lsarpc::LSAR_CLOSE_HANDLE
+          lsar_lookup_sids_request               Lsarpc::LSAR_LOOKUP_SIDS
+        end
         string :default
       end
 

data/lib/ruby_smb/dcerpc/rrp_rpc_unicode_string.rb

@@ -20,7 +20,7 @@ module RubySMB
         when BinData::Stringz, BinData::String, String
           self.buffer = val.to_s
           val_length = val.strip.length
-          val_length += 1 unless val == ''
+          val_length += 1
           self.buffer_length = val_length * 2
           self.maximum_length = val_length * 2
         else

data/lib/ruby_smb/dcerpc/samr/rpc_sid.rb

@@ -107,7 +107,7 @@ module RubySMB
           case val
           when String
             elems = val.split('-')
-            raise ArgumentError, "Wrong SID format" unless elems[0].downcase == 's'
+            raise ArgumentError, "Wrong SID format for #{val.inspect}" unless elems[0].downcase == 's'
             self.revision = elems[1].to_i
             self.sub_authority_count = elems[3..-1].size
             self.identifier_authority = [0, 0, 0, 0, 0, elems[2].to_i]

data/lib/ruby_smb/dcerpc/winreg/get_key_security_request.rb

@@ -0,0 +1,26 @@
+module RubySMB
+  module Dcerpc
+    module Winreg
+
+      # This class represents a GetKeySecurity Request Packet as defined in
+      # [3.1.5.13 BaseRegGetKeySecurity (Opnum 12)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/b0e1868c-f4fd-4b43-959f-c0f0cac3ee26)
+      class GetKeySecurityRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        rpc_hkey                :hkey
+        uint32                  :security_information
+        rpc_security_descriptor :prpc_security_descriptor_in
+
+        def initialize_instance
+          super
+          @opnum = REG_GET_KEY_SECURITY
+        end
+      end
+
+    end
+  end
+end
+
+

data/lib/ruby_smb/dcerpc/winreg/get_key_security_response.rb

@@ -0,0 +1,26 @@
+module RubySMB
+  module Dcerpc
+    module Winreg
+
+      # This class represents a GetKeySecurity Response Packet as defined in
+      # [3.1.5.13 BaseRegGetKeySecurity (Opnum 12)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/b0e1868c-f4fd-4b43-959f-c0f0cac3ee26)
+      class GetKeySecurityResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        rpc_security_descriptor :prpc_security_descriptor_out
+        ndr_uint32              :error_status
+
+        def initialize_instance
+          super
+          @opnum = REG_GET_KEY_SECURITY
+        end
+      end
+
+    end
+  end
+end
+
+
+

data/lib/ruby_smb/dcerpc/winreg/query_value_response.rb

@@ -25,6 +25,8 @@ module RubySMB
         def data
           bytes = lp_data.to_a.pack('C*')
           case lp_type
+          when 0 # 0 is undefined type, let's consider an array of bytes
+            bytes
           when 1,2
             bytes.force_encoding('utf-16le').strip
           when 3

data/lib/ruby_smb/dcerpc/winreg/set_key_security_request.rb

@@ -0,0 +1,26 @@
+module RubySMB
+  module Dcerpc
+    module Winreg
+
+      # This class represents a SetKeySecurity Request Packet as defined in
+      # [3.1.5.21 BaseRegSetKeySecurity (Opnum 21)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/da18856c-8a6d-4217-8e93-3625865e562c)
+      class SetKeySecurityRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        rpc_hkey                :hkey
+        uint32                  :security_information
+        rpc_security_descriptor :prpc_security_descriptor
+
+        def initialize_instance
+          super
+          @opnum = REG_SET_KEY_SECURITY
+        end
+      end
+
+    end
+  end
+end
+
+

data/lib/ruby_smb/dcerpc/winreg/set_key_security_response.rb

@@ -0,0 +1,25 @@
+module RubySMB
+  module Dcerpc
+    module Winreg
+
+      # This class represents a SetKeySecurity Response Packet as defined in
+      # [3.1.5.21 BaseRegSetKeySecurity (Opnum 21)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/da18856c-8a6d-4217-8e93-3625865e562c)
+      class SetKeySecurityResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_uint32 :error_status
+
+        def initialize_instance
+          super
+          @opnum = REG_SET_KEY_SECURITY
+        end
+      end
+
+    end
+  end
+end
+
+
+

data/lib/ruby_smb/dcerpc/winreg.rb

@@ -16,10 +16,12 @@ module RubySMB
       REG_CREATE_KEY        = 0x06
       REG_ENUM_KEY          = 0x09
       REG_ENUM_VALUE        = 0x0a
+      REG_GET_KEY_SECURITY  = 0x0c
       REG_OPEN_KEY          = 0x0f
       REG_QUERY_INFO_KEY    = 0x10
       REG_QUERY_VALUE       = 0x11
       REG_SAVE_KEY          = 0x14
+      REG_SET_KEY_SECURITY  = 0x15
       OPEN_HKCC             = 0x1b
       OPEN_HKPT             = 0x20
       OPEN_HKPN             = 0x21
@@ -43,6 +45,10 @@ module RubySMB
       require 'ruby_smb/dcerpc/winreg/create_key_response'
       require 'ruby_smb/dcerpc/winreg/save_key_request'
       require 'ruby_smb/dcerpc/winreg/save_key_response'
+      require 'ruby_smb/dcerpc/winreg/get_key_security_request'
+      require 'ruby_smb/dcerpc/winreg/get_key_security_response'
+      require 'ruby_smb/dcerpc/winreg/set_key_security_request'
+      require 'ruby_smb/dcerpc/winreg/set_key_security_response'
 
       ROOT_KEY_MAP = {
         "HKEY_CLASSES_ROOT"         => OPEN_HKCR,
@@ -65,6 +71,8 @@ module RubySMB
 
       BUFFER_SIZE = 1024
 
+      RegValue = Struct.new(:type, :data)
+
       # Open the registry root key and return a handle for it. The key can be
       # either a long format (e.g. HKEY_LOCAL_MACHINE) or a short format
       # (e.g. HKLM)
@@ -105,10 +113,7 @@ module RubySMB
       # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
       def open_key(handle, sub_key)
         openkey_request_packet = RubySMB::Dcerpc::Winreg::OpenKeyRequest.new(hkey: handle, lp_sub_key: sub_key)
-        openkey_request_packet.sam_desired.read_control = 1
-        openkey_request_packet.sam_desired.key_query_value = 1
-        openkey_request_packet.sam_desired.key_enumerate_sub_keys = 1
-        openkey_request_packet.sam_desired.key_notify = 1
+        openkey_request_packet.sam_desired.maximum_allowed = 1
         response = dcerpc_request(openkey_request_packet)
         begin
           open_key_response = RubySMB::Dcerpc::Winreg::OpenKeyResponse.read(response)
@@ -124,11 +129,12 @@ module RubySMB
       end
 
       # Retrieve the data associated with the named value of a specified
-      # registry open key.
+      # registry open key. This will also return the type if required.
       #
       # @param handle [Ndr::NdrContextHandle] the handle for the key
       # @param value_name [String] the name of the value
-      # @return [String] the data of the value entry
+      # @param value_name [Boolean] also return the data type if set to true
+      # @return [RegValue] a RegValue struct containing the data type and the actual data of the value entry
       # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a QueryValueResponse packet
       # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
       def query_value(handle, value_name)
@@ -161,7 +167,7 @@ module RubySMB
             "#{WindowsError::Win32.find_by_retval(query_value_response.error_status.value).join(',')}"
         end
 
-        query_value_response.data
+        RegValue.new(query_value_response.lp_type, query_value_response.data)
       end
 
       # Close the handle to the registry key.
@@ -323,6 +329,7 @@ module RubySMB
       # exists, false otherwise.
       #
       # @param key [String] the registry key to check
+      # @param bind [Boolean] Bind to the winreg endpoint if true (default)
       # @return [Boolean]
       def has_registry_key?(key, bind: true)
         bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
@@ -345,6 +352,7 @@ module RubySMB
       #
       # @param key [String] the registry key
       # @param value_name [String] the name of the value to read
+      # @param bind [Boolean] Bind to the winreg endpoint if true (default)
       # @return [String] the data of the value entry
       def read_registry_key_value(key, value_name, bind: true)
         bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
@@ -352,8 +360,8 @@ module RubySMB
         root_key, sub_key = key.gsub(/\//, '\\').split('\\', 2)
         root_key_handle = open_root_key(root_key)
         subkey_handle = open_key(root_key_handle, sub_key)
-        value = query_value(subkey_handle, value_name)
-        value
+        reg_value = query_value(subkey_handle, value_name)
+        reg_value.data
       ensure
         close_key(subkey_handle) if subkey_handle
         close_key(root_key_handle) if root_key_handle
@@ -363,6 +371,7 @@ module RubySMB
       # is provided, it enumerates its subkeys.
       #
       # @param key [String] the registry key
+      # @param bind [Boolean] Bind to the winreg endpoint if true (default)
       # @return [Array<String>] the subkeys
       def enum_registry_key(key, bind: true)
         bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
@@ -389,6 +398,7 @@ module RubySMB
       # Enumerate the values for the specified registry key.
       #
       # @param key [String] the registry key
+      # @param bind [Boolean] Bind to the winreg endpoint if true (default)
       # @return [Array<String>] the values
       def enum_registry_values(key, bind: true)
         bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
@@ -412,6 +422,108 @@ module RubySMB
         close_key(root_key_handle) if root_key_handle && root_key_handle != subkey_handle
       end
 
+
+      # Retrieve the security descriptor for the given registry key handle.
+      #
+      # @param handle [String] the handle to the registry key
+      # @param security_information [] the security information to query (see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343). These constants are defined in the `RubySMB::Field::SecurityDescriptor` class
+      # @return [String] The security descriptor as a byte stream
+      # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a GetKeySecurityResponse packet
+      # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
+      def get_key_security(handle, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION)
+        get_key_security_request = RubySMB::Dcerpc::Winreg::GetKeySecurityRequest.new(
+          hkey: handle,
+          security_information: security_information,
+          prpc_security_descriptor_in: { cb_in_security_descriptor: 4096 }
+        )
+        response = dcerpc_request(get_key_security_request)
+        begin
+          get_key_security_response = RubySMB::Dcerpc::Winreg::GetKeySecurityResponse.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, "Error reading the GetKeySecurity response"
+        end
+        unless get_key_security_response.error_status == WindowsError::Win32::ERROR_SUCCESS
+          raise RubySMB::Dcerpc::Error::WinregError, "Error returned when querying information: "\
+            "#{WindowsError::Win32.find_by_retval(get_key_security_response.error_status.value).join(',')}"
+        end
+
+        get_key_security_response.prpc_security_descriptor_out.lp_security_descriptor.to_a.pack('C*')
+      end
+
+      # Retrieve the security descriptor for the given key.
+      #
+      # @param key [String] the registry key
+      # @param security_information [] the security information to query (see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343). These constants are defined in the `RubySMB::Field::SecurityDescriptor` class
+      # @param bind [Boolean] Bind to the winreg endpoint if true (default)
+      # @return [String] The security descriptor as a byte stream
+      # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a GetKeySecurityResponse packet
+      # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
+      def get_key_security_descriptor(key, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION, bind: true)
+        bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
+
+        root_key, sub_key = key.gsub(/\//, '\\').split('\\', 2)
+        root_key_handle = open_root_key(root_key)
+        subkey_handle = open_key(root_key_handle, sub_key)
+        get_key_security(subkey_handle, security_information)
+      ensure
+        close_key(subkey_handle) if subkey_handle
+        close_key(root_key_handle) if root_key_handle
+      end
+
+      # Set the security descriptor for the given registry key handle.
+      #
+      # @param handle [String] the handle to the registry key
+      # @param security_descriptor [String] the new security descriptor to set as a byte stream
+      # @param security_information [] the security information to query (see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343). These constants are defined in the `RubySMB::Field::SecurityDescriptor` class
+      # @param bind [Boolean] Bind to the winreg endpoint if true (default)
+      # @return [Integer] The error status returned by the DCERPC call
+      # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a SetKeySecurityResponse packet
+      # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
+      def set_key_security(handle, security_descriptor, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION)
+        set_key_security_request = RubySMB::Dcerpc::Winreg::SetKeySecurityRequest.new(
+          hkey: handle,
+          security_information: security_information,
+          prpc_security_descriptor: {
+            lp_security_descriptor: security_descriptor.bytes,
+            cb_in_security_descriptor: security_descriptor.b.size,
+            cb_out_security_descriptor: security_descriptor.b.size
+          }
+        )
+        response = dcerpc_request(set_key_security_request)
+        begin
+          set_key_security_response = RubySMB::Dcerpc::Winreg::SetKeySecurityResponse.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, "Error reading the SetKeySecurity response"
+        end
+        unless set_key_security_response.error_status == WindowsError::Win32::ERROR_SUCCESS
+          raise RubySMB::Dcerpc::Error::WinregError, "Error returned when setting the registry key: "\
+            "#{WindowsError::Win32.find_by_retval(set_key_security_response.error_status.value).join(',')}"
+        end
+
+        set_key_security_response.error_status
+      end
+
+      # Set the security descriptor for the given key.
+      #
+      # @param key [String] the registry key
+      # @param security_descriptor [String] the new security descriptor to set as a byte stream
+      # @param security_information [] the security information to query (see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343). These constants are defined in the `RubySMB::Field::SecurityDescriptor` class
+      # @param bind [Boolean] Bind to the winreg endpoint if true (default)
+      # @return [Integer] The error status returned by the DCERPC call
+      # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a SetKeySecurityResponse packet
+      # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
+      def set_key_security_descriptor(key, security_descriptor, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION, bind: true)
+        bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
+
+        root_key, sub_key = key.gsub(/\//, '\\').split('\\', 2)
+        root_key_handle = open_root_key(root_key)
+        subkey_handle = open_key(root_key_handle, sub_key)
+        set_key_security(subkey_handle, security_descriptor, security_information)
+      ensure
+        close_key(subkey_handle) if subkey_handle
+        close_key(root_key_handle) if root_key_handle
+      end
+
     end
   end
 end

data/lib/ruby_smb/field/security_descriptor.rb

@@ -3,6 +3,23 @@ module RubySMB
     # Class representing a SECURITY_DESCRIPTOR as defined in
     # [2.4.6 SECURITY_DESCRIPTOR](https://msdn.microsoft.com/en-us/library/cc230366.aspx)
     class SecurityDescriptor < BinData::Record
+
+      # Security Information as defined in
+      # [2.4.7 SECURITY_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343)
+      OWNER_SECURITY_INFORMATION               = 0x00000001
+      GROUP_SECURITY_INFORMATION               = 0x00000002
+      DACL_SECURITY_INFORMATION                = 0x00000004
+      SACL_SECURITY_INFORMATION                = 0x00000008
+      LABEL_SECURITY_INFORMATION               = 0x00000010
+      UNPROTECTED_SACL_SECURITY_INFORMATION    = 0x10000000
+      UNPROTECTED_DACL_SECURITY_INFORMATION    = 0x20000000
+      PROTECTED_SACL_SECURITY_INFORMATION      = 0x40000000
+      PROTECTED_DACL_SECURITY_INFORMATION      = 0x80000000
+      ATTRIBUTE_SECURITY_INFORMATION           = 0x00000020
+      SCOPE_SECURITY_INFORMATION               = 0x00000040
+      PROCESS_TRUST_LABEL_SECURITY_INFORMATION = 0x00000080
+      BACKUP_SECURITY_INFORMATION              = 0x00010000
+
       endian  :little
       uint8   :revision,  label: 'Revision', initial_value: 0x01
       uint8   :sbz1,      label: 'Resource Manager Control Bits'

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '3.3.6'.freeze
+  VERSION = '3.3.8'.freeze
 end

data/spec/lib/ruby_smb/dcerpc/lsarpc/lsar_close_handle_request_spec.rb

@@ -0,0 +1,40 @@
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarCloseHandleRequest do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :policy_handle }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#policy_handle' do
+    it 'is an LsaprHandle structure' do
+      expect(packet.policy_handle).to be_a RubySMB::Dcerpc::Lsarpc::LsaprHandle
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_CLOSE_HANDLE constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_CLOSE_HANDLE)
+    end
+  end
+  it 'reads itself' do
+    new_packet = described_class.new(
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      }
+    )
+    expected_output = {
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      }
+    }
+    expect(packet.read(new_packet.to_binary_s)).to eq(expected_output)
+  end
+end
+
+

data/spec/lib/ruby_smb/dcerpc/lsarpc/lsar_close_handle_response_spec.rb

@@ -0,0 +1,46 @@
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarCloseHandleResponse do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :policy_handle }
+  it { is_expected.to respond_to :error_status }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#policy_handle' do
+    it 'is a LsaprHandle structure' do
+      expect(packet.policy_handle).to be_a RubySMB::Dcerpc::Lsarpc::LsaprHandle
+    end
+  end
+  describe '#error_status' do
+    it 'is a NdrUint32 structure' do
+      expect(packet.error_status).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_CLOSE_HANDLE constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_CLOSE_HANDLE)
+    end
+  end
+  it 'reads itself' do
+    new_class = described_class.new(
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: '2ef54a87-e29e-4d24-90e9-9da49b94449e'
+      },
+      error_status: 0
+    )
+    expect(packet.read(new_class.to_binary_s)).to eq(
+      {
+        policy_handle: {
+          context_handle_attributes: 0,
+          context_handle_uuid: '2ef54a87-e29e-4d24-90e9-9da49b94449e'
+        },
+        error_status: 0
+      })
+  end
+end

data/spec/lib/ruby_smb/dcerpc/lsarpc/lsar_lookup_sids_request_spec.rb

@@ -0,0 +1,69 @@
+require 'ruby_smb/dcerpc/ndr'
+
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarLookupSidsRequest do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :policy_handle }
+  it { is_expected.to respond_to :sid_enum_buffer }
+  it { is_expected.to respond_to :translated_names }
+  it { is_expected.to respond_to :lookup_level }
+  it { is_expected.to respond_to :mapped_count }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#policy_handle' do
+    it 'is an LsaprHandle structure' do
+      expect(packet.policy_handle).to be_a RubySMB::Dcerpc::Lsarpc::LsaprHandle
+    end
+  end
+  describe '#sid_enum_buffer' do
+    it 'is an LsaprSidEnumBuffer structure' do
+      expect(packet.sid_enum_buffer).to be_a RubySMB::Dcerpc::Lsarpc::LsaprSidEnumBuffer
+    end
+  end
+  describe '#translated_names' do
+    it 'is an LsaprTranslatedNames structure' do
+      expect(packet.translated_names).to be_a RubySMB::Dcerpc::Lsarpc::LsaprTranslatedNames
+    end
+  end
+  describe '#lookup_level' do
+    it 'is an NdrUint16' do
+      expect(packet.lookup_level).to be_a RubySMB::Dcerpc::Ndr::NdrUint16
+    end
+  end
+  describe '#mapped_count' do
+    it 'is an NdrUint32' do
+      expect(packet.mapped_count).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_LOOKUP_SIDS constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_LOOKUP_SIDS)
+    end
+  end
+  it 'reads itself' do
+    new_class = described_class.new(
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      },
+      sid_enum_buffer: { num_entries: 1, sid_info: [ { sid: 'S-1-5-21-2181772609-2124839192-2039643012-500' } ] },
+      lookup_level: 0,
+    )
+    expect(packet.read(new_class.to_binary_s)).to eq(
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      },
+      sid_enum_buffer: { num_entries: 1, sid_info: [ { sid: 'S-1-5-21-2181772609-2124839192-2039643012-500' } ] },
+      translated_names: { num_entries: 0, names: :null },
+      lookup_level: 0,
+      mapped_count: 0
+    )
+  end
+end

data/spec/lib/ruby_smb/dcerpc/lsarpc/lsar_lookup_sids_response_spec.rb

@@ -0,0 +1,56 @@
+require 'ruby_smb/dcerpc/ndr'
+
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarLookupSidsResponse do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :referenced_domains }
+  it { is_expected.to respond_to :translated_names }
+  it { is_expected.to respond_to :mapped_count }
+  it { is_expected.to respond_to :error_status }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#referenced_domains' do
+    it 'is an LsaprReferencedDomainListPtr structure' do
+      expect(packet.referenced_domains).to be_a RubySMB::Dcerpc::Lsarpc::LsaprReferencedDomainListPtr
+    end
+  end
+  describe '#translated_names' do
+    it 'is an LsaprTranslatedNames structure' do
+      expect(packet.translated_names).to be_a RubySMB::Dcerpc::Lsarpc::LsaprTranslatedNames
+    end
+  end
+  describe '#mapped_count' do
+    it 'is an NdrUint32 structure' do
+      expect(packet.mapped_count).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#error_status' do
+    it 'is an NdrUint32' do
+      expect(packet.error_status).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_LOOKUP_SIDS constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_LOOKUP_SIDS)
+    end
+  end
+  it 'reads itself' do
+    new_class = described_class.new(
+      translated_names: { num_entries: 1, names: [ { use: 0, name: 'Administrator', domain_index: 0 }] },
+      mapped_count: 1,
+      error_status: 0
+    )
+    expect(packet.read(new_class.to_binary_s)).to eq(
+      referenced_domains: :null,
+      translated_names: { num_entries: 1, names: [ { use: 0, name: { buffer_length: 26, maximum_length: 26, buffer: 'Administrator'.encode('UTF-16LE') }, domain_index: 0 } ] },
+      mapped_count: 1,
+      error_status: 0
+    )
+  end
+end