ruby_smb 3.3.7 → 3.3.9

data/lib/ruby_smb/dcerpc/netlogon/dsr_get_dc_name_ex2_request.rb

@@ -0,0 +1,28 @@
+require 'ruby_smb/dcerpc/ndr'
+
+module RubySMB
+  module Dcerpc
+    module Netlogon
+
+      # [3.5.4.3.1 DsrGetDcNameEx2 (Opnum 34)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/fb8e1146-a045-4c31-98d1-c68507ad5620)
+      class DsrGetDcNameEx2Request < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        logonsrv_handle       :computer_name
+        ndr_wide_stringz_ptr  :account_name
+        ndr_uint32            :allowable_account_control_bits
+        ndr_wide_stringz_ptr  :domain_name
+        uuid_ptr              :domain_guid
+        ndr_wide_stringz_ptr  :site_name
+        ndr_uint32            :flags
+
+        def initialize_instance
+          super
+          @opnum = DSR_GET_DC_NAME_EX2
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/netlogon/dsr_get_dc_name_ex2_response.rb

@@ -0,0 +1,24 @@
+require 'ruby_smb/dcerpc/ndr'
+require 'ruby_smb/dcerpc/netlogon/domain_controller_infow'
+
+module RubySMB
+  module Dcerpc
+    module Netlogon
+
+      # [3.5.4.3.1 DsrGetDcNameEx2 (Opnum 34)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/fb8e1146-a045-4c31-98d1-c68507ad5620)
+      class DsrGetDcNameEx2Response < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        domain_controller_info_w_ptr  :domain_controller_info
+        ndr_uint32                    :error_status
+
+        def initialize_instance
+          super
+          @opnum = DSR_GET_DC_NAME_EX2
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/netlogon.rb

@@ -11,6 +11,7 @@ module RubySMB
       NETR_SERVER_REQ_CHALLENGE = 4
       NETR_SERVER_AUTHENTICATE3 = 26
       NETR_SERVER_PASSWORD_SET2 = 30
+      DSR_GET_DC_NAME_EX2 = 34
 
       # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3b224201-b531-43e2-8c79-b61f6dea8640
       class LogonsrvHandle < Ndr::NdrWideStringzPtr; end
@@ -65,6 +66,8 @@ module RubySMB
       require 'ruby_smb/dcerpc/netlogon/netr_server_password_set2_response'
       require 'ruby_smb/dcerpc/netlogon/netr_server_req_challenge_request'
       require 'ruby_smb/dcerpc/netlogon/netr_server_req_challenge_response'
+      require 'ruby_smb/dcerpc/netlogon/dsr_get_dc_name_ex2_request'
+      require 'ruby_smb/dcerpc/netlogon/dsr_get_dc_name_ex2_response'
 
       # Calculate the netlogon session key from the provided shared secret and
       # challenges. The shared secret is an NTLM hash.

data/lib/ruby_smb/dcerpc/request.rb

@@ -111,6 +111,14 @@ module RubySMB
           efs_rpc_query_recovery_agents_request Efsrpc::EFS_RPC_QUERY_RECOVERY_AGENTS
           efs_rpc_query_users_on_file_request   Efsrpc::EFS_RPC_QUERY_USERS_ON_FILE
         end
+        choice 'Lsarpc', selection: -> { opnum } do
+          lsar_open_policy_request               Lsarpc::LSAR_OPEN_POLICY
+          lsar_open_policy2_request              Lsarpc::LSAR_OPEN_POLICY2
+          lsar_query_information_policy_request  Lsarpc::LSAR_QUERY_INFORMATION_POLICY
+          lsar_query_information_policy2_request Lsarpc::LSAR_QUERY_INFORMATION_POLICY2
+          lsar_close_handle_request              Lsarpc::LSAR_CLOSE_HANDLE
+          lsar_lookup_sids_request               Lsarpc::LSAR_LOOKUP_SIDS
+        end
         string :default
       end
 

data/lib/ruby_smb/dcerpc/samr/rpc_sid.rb

@@ -107,7 +107,7 @@ module RubySMB
           case val
           when String
             elems = val.split('-')
-            raise ArgumentError, "Wrong SID format" unless elems[0].downcase == 's'
+            raise ArgumentError, "Wrong SID format for #{val.inspect}" unless elems[0].downcase == 's'
             self.revision = elems[1].to_i
             self.sub_authority_count = elems[3..-1].size
             self.identifier_authority = [0, 0, 0, 0, 0, elems[2].to_i]

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '3.3.7'.freeze
+  VERSION = '3.3.9'.freeze
 end

data/spec/lib/ruby_smb/dcerpc/lsarpc/lsar_close_handle_request_spec.rb

@@ -0,0 +1,40 @@
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarCloseHandleRequest do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :policy_handle }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#policy_handle' do
+    it 'is an LsaprHandle structure' do
+      expect(packet.policy_handle).to be_a RubySMB::Dcerpc::Lsarpc::LsaprHandle
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_CLOSE_HANDLE constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_CLOSE_HANDLE)
+    end
+  end
+  it 'reads itself' do
+    new_packet = described_class.new(
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      }
+    )
+    expected_output = {
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      }
+    }
+    expect(packet.read(new_packet.to_binary_s)).to eq(expected_output)
+  end
+end
+
+

data/spec/lib/ruby_smb/dcerpc/lsarpc/lsar_close_handle_response_spec.rb

@@ -0,0 +1,46 @@
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarCloseHandleResponse do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :policy_handle }
+  it { is_expected.to respond_to :error_status }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#policy_handle' do
+    it 'is a LsaprHandle structure' do
+      expect(packet.policy_handle).to be_a RubySMB::Dcerpc::Lsarpc::LsaprHandle
+    end
+  end
+  describe '#error_status' do
+    it 'is a NdrUint32 structure' do
+      expect(packet.error_status).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_CLOSE_HANDLE constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_CLOSE_HANDLE)
+    end
+  end
+  it 'reads itself' do
+    new_class = described_class.new(
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: '2ef54a87-e29e-4d24-90e9-9da49b94449e'
+      },
+      error_status: 0
+    )
+    expect(packet.read(new_class.to_binary_s)).to eq(
+      {
+        policy_handle: {
+          context_handle_attributes: 0,
+          context_handle_uuid: '2ef54a87-e29e-4d24-90e9-9da49b94449e'
+        },
+        error_status: 0
+      })
+  end
+end

data/spec/lib/ruby_smb/dcerpc/lsarpc/lsar_lookup_sids_request_spec.rb

@@ -0,0 +1,69 @@
+require 'ruby_smb/dcerpc/ndr'
+
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarLookupSidsRequest do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :policy_handle }
+  it { is_expected.to respond_to :sid_enum_buffer }
+  it { is_expected.to respond_to :translated_names }
+  it { is_expected.to respond_to :lookup_level }
+  it { is_expected.to respond_to :mapped_count }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#policy_handle' do
+    it 'is an LsaprHandle structure' do
+      expect(packet.policy_handle).to be_a RubySMB::Dcerpc::Lsarpc::LsaprHandle
+    end
+  end
+  describe '#sid_enum_buffer' do
+    it 'is an LsaprSidEnumBuffer structure' do
+      expect(packet.sid_enum_buffer).to be_a RubySMB::Dcerpc::Lsarpc::LsaprSidEnumBuffer
+    end
+  end
+  describe '#translated_names' do
+    it 'is an LsaprTranslatedNames structure' do
+      expect(packet.translated_names).to be_a RubySMB::Dcerpc::Lsarpc::LsaprTranslatedNames
+    end
+  end
+  describe '#lookup_level' do
+    it 'is an NdrUint16' do
+      expect(packet.lookup_level).to be_a RubySMB::Dcerpc::Ndr::NdrUint16
+    end
+  end
+  describe '#mapped_count' do
+    it 'is an NdrUint32' do
+      expect(packet.mapped_count).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_LOOKUP_SIDS constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_LOOKUP_SIDS)
+    end
+  end
+  it 'reads itself' do
+    new_class = described_class.new(
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      },
+      sid_enum_buffer: { num_entries: 1, sid_info: [ { sid: 'S-1-5-21-2181772609-2124839192-2039643012-500' } ] },
+      lookup_level: 0,
+    )
+    expect(packet.read(new_class.to_binary_s)).to eq(
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      },
+      sid_enum_buffer: { num_entries: 1, sid_info: [ { sid: 'S-1-5-21-2181772609-2124839192-2039643012-500' } ] },
+      translated_names: { num_entries: 0, names: :null },
+      lookup_level: 0,
+      mapped_count: 0
+    )
+  end
+end

data/spec/lib/ruby_smb/dcerpc/lsarpc/lsar_lookup_sids_response_spec.rb

@@ -0,0 +1,56 @@
+require 'ruby_smb/dcerpc/ndr'
+
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarLookupSidsResponse do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :referenced_domains }
+  it { is_expected.to respond_to :translated_names }
+  it { is_expected.to respond_to :mapped_count }
+  it { is_expected.to respond_to :error_status }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#referenced_domains' do
+    it 'is an LsaprReferencedDomainListPtr structure' do
+      expect(packet.referenced_domains).to be_a RubySMB::Dcerpc::Lsarpc::LsaprReferencedDomainListPtr
+    end
+  end
+  describe '#translated_names' do
+    it 'is an LsaprTranslatedNames structure' do
+      expect(packet.translated_names).to be_a RubySMB::Dcerpc::Lsarpc::LsaprTranslatedNames
+    end
+  end
+  describe '#mapped_count' do
+    it 'is an NdrUint32 structure' do
+      expect(packet.mapped_count).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#error_status' do
+    it 'is an NdrUint32' do
+      expect(packet.error_status).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_LOOKUP_SIDS constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_LOOKUP_SIDS)
+    end
+  end
+  it 'reads itself' do
+    new_class = described_class.new(
+      translated_names: { num_entries: 1, names: [ { use: 0, name: 'Administrator', domain_index: 0 }] },
+      mapped_count: 1,
+      error_status: 0
+    )
+    expect(packet.read(new_class.to_binary_s)).to eq(
+      referenced_domains: :null,
+      translated_names: { num_entries: 1, names: [ { use: 0, name: { buffer_length: 26, maximum_length: 26, buffer: 'Administrator'.encode('UTF-16LE') }, domain_index: 0 } ] },
+      mapped_count: 1,
+      error_status: 0
+    )
+  end
+end

data/spec/lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy2_request_spec.rb

@@ -0,0 +1,68 @@
+require 'ruby_smb/dcerpc/ndr'
+
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarOpenPolicy2Request do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :system_name }
+  it { is_expected.to respond_to :object_attributes }
+  it { is_expected.to respond_to :access_mask }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#system_name' do
+    it 'is an NdrWideStringzPtr structure' do
+      expect(packet.system_name).to be_a RubySMB::Dcerpc::Ndr::NdrWideStringzPtr
+    end
+  end
+  describe '#object_attributes' do
+    it 'is an LsaprObjectAttributes structure' do
+      expect(packet.object_attributes).to be_a RubySMB::Dcerpc::Lsarpc::LsaprObjectAttributes
+    end
+  end
+  describe '#access_mask' do
+    it 'is an NdrUint32 structure' do
+      expect(packet.access_mask).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_OPEN_POLICY2 constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_OPEN_POLICY2)
+    end
+  end
+  it 'reads itself' do
+    new_class = described_class.new(
+      system_name: 'Example_System',
+      object_attributes: {
+        security_quality_of_service: {
+          impersonation_level: 0,
+          security_context_tracking_mode: 0
+        }
+      },
+      access_mask: 0
+    )
+    expect(packet.read(new_class.to_binary_s)).to eq(
+      {
+        system_name: 'Example_System'.encode('UTF-16LE'),
+        object_attributes: {
+          len: 24,
+          root_directory: :null,
+          object_name: :null,
+          attributes: 0,
+          security_descriptor: :null,
+          security_quality_of_service: {
+            len: 12,
+            impersonation_level: 0,
+            security_context_tracking_mode: 0,
+            effective_only: 0
+          }
+        },
+      access_mask: 0
+      }
+    )
+  end
+end

data/spec/lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy2_response_spec.rb

@@ -0,0 +1,46 @@
+
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarOpenPolicy2Response do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :policy_handle }
+  it { is_expected.to respond_to :error_status }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#policy_handle' do
+    it 'is an LsaprHandle structure' do
+      expect(packet.policy_handle).to be_a RubySMB::Dcerpc::Lsarpc::LsaprHandle
+    end
+  end
+  describe '#error_status' do
+    it 'is a NdrUint32' do
+      expect(packet.error_status).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_OPEN_POLICY2 constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_OPEN_POLICY2)
+    end
+  end
+  it 'reads itself' do
+    new_class = described_class.new(
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      },
+      error_status: 0
+    )
+    expect(packet.read(new_class.to_binary_s)).to eq(
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      },
+      error_status: 0
+    )
+  end
+end

data/spec/lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy_request_spec.rb

@@ -0,0 +1,68 @@
+require 'ruby_smb/dcerpc/ndr'
+
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarOpenPolicyRequest do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :system_name }
+  it { is_expected.to respond_to :object_attributes }
+  it { is_expected.to respond_to :access_mask }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#system_name' do
+    it 'is an NdrWideStringPtr structure' do
+      expect(packet.system_name).to be_a RubySMB::Dcerpc::Ndr::NdrWideStringPtr
+    end
+  end
+  describe '#object_attributes' do
+    it 'is an LsaprObjectAttributes structure' do
+      expect(packet.object_attributes).to be_a RubySMB::Dcerpc::Lsarpc::LsaprObjectAttributes
+    end
+  end
+  describe '#access_mask' do
+    it 'is an NdrUint32 structure' do
+      expect(packet.access_mask).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_OPEN_POLICY constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_OPEN_POLICY)
+    end
+  end
+  it 'reads itself' do
+    new_class = described_class.new(
+      system_name: 'Example_System',
+      object_attributes: {
+        security_quality_of_service: {
+          impersonation_level: 0,
+          security_context_tracking_mode: 0
+        }
+      },
+      access_mask: 0
+    )
+    expect(packet.read(new_class.to_binary_s)).to eq(
+      {
+        system_name: 'Example_System'.encode('UTF-16LE'),
+        object_attributes: {
+          len: 24,
+          root_directory: :null,
+          object_name: :null,
+          attributes: 0,
+          security_descriptor: :null,
+          security_quality_of_service: {
+            len: 12,
+            impersonation_level: 0,
+            security_context_tracking_mode: 0,
+            effective_only: 0
+          }
+        },
+        access_mask: 0
+      }
+    )
+  end
+end

data/spec/lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy_response_spec.rb

@@ -0,0 +1,45 @@
+
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarOpenPolicyResponse do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :policy_handle }
+  it { is_expected.to respond_to :error_status }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#policy_handle' do
+    it 'is an LsaprHandle structure' do
+      expect(packet.policy_handle).to be_a RubySMB::Dcerpc::Lsarpc::LsaprHandle
+    end
+  end
+  describe '#error_status' do
+    it 'is a NdrUint32' do
+      expect(packet.error_status).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_OPEN_POLICY constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_OPEN_POLICY)
+    end
+  end
+  it 'reads itself' do
+    new_class = described_class.new(
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      }
+    )
+    expect(packet.read(new_class.to_binary_s)).to eq(
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      },
+      error_status: 0
+    )
+  end
+end

data/spec/lib/ruby_smb/dcerpc/lsarpc/lsar_query_information_policy2_request_spec.rb

@@ -0,0 +1,47 @@
+require 'ruby_smb/dcerpc/ndr'
+
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarQueryInformationPolicy2Request do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :policy_handle }
+  it { is_expected.to respond_to :information_class }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#policy_handle' do
+    it 'is an LsaprHandle structure' do
+      expect(packet.policy_handle).to be_a RubySMB::Dcerpc::Lsarpc::LsaprHandle
+    end
+  end
+  describe '#information_class' do
+    it 'is an NdrUint32 structure' do
+      expect(packet.information_class).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_QUERY_INFORMATION_POLICY2 constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_QUERY_INFORMATION_POLICY2)
+    end
+  end
+  it 'reads itself' do
+    new_class = described_class.new(
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      },
+      information_class: 0
+    )
+    expect(packet.read(new_class.to_binary_s)).to eq(
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      },
+      information_class: 0
+    )
+  end
+end

data/spec/lib/ruby_smb/dcerpc/lsarpc/lsar_query_information_policy2_response_spec.rb

@@ -0,0 +1,54 @@
+require 'ruby_smb/dcerpc/ndr'
+require 'ruby_smb/dcerpc/lsarpc'
+
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarQueryInformationPolicy2Response do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :policy_information }
+  it { is_expected.to respond_to :error_status }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#policy_information' do
+    it 'is an LsaprPolicyInformationPtr structure' do
+      expect(packet.policy_information).to be_a RubySMB::Dcerpc::Lsarpc::LsaprPolicyInformationPtr
+    end
+  end
+  describe '#error_status' do
+    it 'is an NdrUint32 structure' do
+      expect(packet.error_status).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_QUERY_INFORMATION_POLICY2 constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_QUERY_INFORMATION_POLICY2)
+    end
+  end
+  it 'reads itself' do
+    new_class = described_class.new(
+      policy_information: {
+        policy_information_class: 1,
+        policy_information: {}
+      }
+    )
+    expect(packet.read(new_class.to_binary_s)).to eq(
+      policy_information: {
+        policy_information_class: 1,
+        policy_information: {
+          audit_log_percent_full: 0,
+          maximum_log_size: 0,
+          audit_retention_period: 0,
+          audit_log_full_shutdown_in_progress: 0,
+          time_to_shutdown: 0,
+          next_audit_record_id: 0
+        }
+      },
+      error_status: 0
+    )
+  end
+end