smbRpc 0.0.3

data/lib/smbRpc/lsarpc/enumeratePrivilegesAccount.rb

@@ -0,0 +1,49 @@
+module SmbRpc
+  class Lsarpc < Rpc
+
+    class LsarEnumeratePrivilegesAccountReq < BinData::Record
+      endian :little
+      request :request
+      string :accountHandle, :length => 20
+
+      def initialize_instance
+        super
+        accountHandle.value = get_parameter(:handle)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 18        #LsarEnumeratePrivilegesAccount
+      end
+    end
+
+    class Lsapr_luid_and_attributes < BinData::Record
+      endian :little
+      string :luid, :length => 8
+      uint32 :attributes		#2.2.5.4 LSAPR_LUID_AND_ATTRIBUTES
+					#bit maks of last 2 least significant bit, so 1 = emable by default, 2 = enable
+    end
+
+    class Lsapr_privilege_set < BinData::Record
+      endian :little
+      uint32 :privilegeCount
+      uint32 :numberOfPrivilegeCount
+      uint32 :control
+      array :privilege, :type => :lsapr_luid_and_attributes, :initial_length => :privilegeCount
+    end
+
+    class LsarEnumeratePrivilegesAccountRes < BinData::Record
+      endian :little
+      response :response
+      uint32 :ref_id_privileges
+      lsapr_privilege_set :privileges
+      uint32 :windowsError
+    end
+
+    def enumeratePrivilegesAccount()
+      lsarEnumeratePrivilegesAccountReq = LsarEnumeratePrivilegesAccountReq.new(handle:@accountHandle)
+      lsarEnumeratePrivilegesAccountRes = @file.ioctl_send_recv(lsarEnumeratePrivilegesAccountReq).buffer
+      lsarEnumeratePrivilegesAccountRes.raise_not_error_success("enumeratePrivilegesAccount")
+      lsarEnumeratePrivilegesAccountRes = LsarEnumeratePrivilegesAccountRes.read(lsarEnumeratePrivilegesAccountRes)
+      return lsarEnumeratePrivilegesAccountRes.privileges.privilege
+    end
+
+end
+end

data/lib/smbRpc/lsarpc/lookupNames.rb

@@ -0,0 +1,74 @@
+module SmbRpc
+  class Lsarpc < Rpc
+
+    class Lsapr_translated_sids < BinData::Record
+      endian :little
+      uint32 :numberOfEntries
+      choice :sids, :selection => :numberOfEntries do
+        uint32 0     
+        array :default, :type => :rpc_sid, :initial_length => :numberOfEntries 
+      end
+    end
+
+    class LsarLookupNamesReq < BinData::Record
+      endian :little
+      request :request
+      string :policyHandle, :length => 20
+      uint32 :numCount, :value => 1
+      uint32 :numberOfNames, :value => :numCount
+      rpc_unicode_string :name
+      conformantandVaryingStrings :nameNdr
+      lsapr_translated_sids :translatedSids
+      uint32 :lookupLevel, :value => 1
+      uint32 :mappedCount
+
+      def initialize_instance
+        super
+        policyHandle.value = get_parameter(:handle)
+        uniString = get_parameter(:accountName).bytes.pack("v*")
+        name.len.value = uniString.bytesize
+        name.maximumLength.value = uniString.bytesize
+        nameNdr.str.value = uniString
+
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 14        #LsarLookupNames
+      end
+    end
+
+    class Lsa_translated_sid < BinData::Record
+      endian :little
+      uint32 :use
+      uint32 :relativeId
+      uint32 :domainIndex
+    end
+
+    class LsarLookupNamesRes < BinData::Record
+      endian :little
+      response :response
+      uint32 :ref_id_referencedDomains
+      lsapr_referenced_domain_list :referencedDomains	#already declared in lsarpc/lsaLookupSids.rb
+      uint32 :numberOfEntries
+      lsapr_trust_information :domain			#already declared in lsarpc/lsaLookupSids.rb
+      uint32 :numberOfSids
+      uint32 :ref_id_translatedSids
+      uint32 :numberOfTranslatedSids
+      lsa_translated_sid :translatedSids
+      uint32 :mappedCount
+      uint32 :windowsError
+    end
+
+    def lookupNames(name:)
+      lsarLookupNamesReq = LsarLookupNamesReq.new(handle:@policyHandle, accountName:name)
+      lsarLookupNamesRes = @file.ioctl_send_recv(lsarLookupNamesReq).buffer
+      lsarLookupNamesRes.raise_not_error_success("lookupNames")
+      lsarLookupNamesRes = LsarLookupNamesRes.read(lsarLookupNamesRes)
+      h = {}
+      h[:domain] = lsarLookupNamesRes.domain.name.str.unpack("v*").pack("c*")
+      h[:sid] = lsarLookupNamesRes.domain.sid.sid.to_s
+      h[:rid] = lsarLookupNamesRes.translatedSids.relativeId.to_i
+      h[:type] = lsarLookupNamesRes.translatedSids.use.to_i
+      return h
+    end
+
+end
+end

data/lib/smbRpc/lsarpc/lookupPrivilegeName.rb

@@ -0,0 +1,37 @@
+module SmbRpc
+  class Lsarpc < Rpc
+
+    class LsarLookupPrivilegeNameReq < BinData::Record
+      endian :little
+      request :request
+      string :policyHandle, :length => 20
+      string :luid, :length => 8
+
+      def initialize_instance
+        super
+        policyHandle.value = get_parameter(:handle)
+        luid.value = get_parameter(:lu)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 32        #LsarLookupPrivilegeName
+      end
+    end
+
+    class LsarLookupPrivilegeNameRes < BinData::Record
+      endian :little
+      response :response
+      uint32 :ref_id_name
+      rpc_unicode_string :name
+      conformantandVaryingStrings :nameNdr
+      uint32 :windowsError
+    end
+
+    def lookupPrivilegeName(luid:)
+      lsarLookupPrivilegeNameReq = LsarLookupPrivilegeNameReq.new(handle:@policyHandle, lu:luid)
+      lsarLookupPrivilegeNameRes = @file.ioctl_send_recv(lsarLookupPrivilegeNameReq).buffer
+      lsarLookupPrivilegeNameRes.raise_not_error_success("lookupPrivilegeName")
+      lsarLookupPrivilegeNameRes = LsarLookupPrivilegeNameRes.read(lsarLookupPrivilegeNameRes)
+      return lsarLookupPrivilegeNameRes.nameNdr.str.unpack("v*").pack("c*")
+    end
+
+end
+end

data/lib/smbRpc/lsarpc/lookupSids.rb

@@ -0,0 +1,96 @@
+module SmbRpc
+  class Lsarpc < Rpc
+
+    class LsarLookupSidsReq < BinData::Record
+      endian :little
+      request :request
+      string :policyHandle, :length => 20
+      lsapr_account_enum_buffer :sidEnumBuffer		#declare in lsaEnumerateAccounts.rb
+      uint32 :entriesRead
+      uint32 :translatedNames
+      uint32 :lookupLevel, :value => 1
+      uint32 :mappedCount
+
+      def initialize_instance
+        super
+        policyHandle.value = get_parameter(:handle)
+
+        sid = get_parameter(:sid)
+        sidEnumBuffer.entriesRead.value = 1
+
+        sidArray = sid.split("-")
+        subAuthorityCount = sidArray.size - 3
+        sidEnumBuffer.ref_id_information[0].value = 1
+        sidEnumBuffer.information[0].sub_auth.value = subAuthorityCount
+        sidEnumBuffer.information[0].sid.revision.value = sidArray[1].to_i
+        sidEnumBuffer.information[0].sid.subAuthorityCount.value = subAuthorityCount
+        sidEnumBuffer.information[0].sid.identifierAuthority.value = [sidArray[2].to_i].pack("N").rjust(6, "\x00")
+        subAuthorityCount.times do |i|
+          sidEnumBuffer.information[0].sid.subAuthority[i] = sidArray[i + 3].to_i
+        end
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 15        		#LsarLookupSids
+      end
+    end
+
+    class Lsapr_trust_information < BinData::Record
+      endian :little
+      uint16 :len
+      uint16 :maxLength
+      uint32 :ref_id_name
+      uint32 :ref_id_sid
+      conformantandVaryingStrings :name
+      sid_element :sid					#declared in lsarpc/lsaEnumerateAccounts.rb
+    end
+
+    class Lsapr_referenced_domain_list < BinData::Record
+      endian :little
+      uint32 :numberOfEntries
+      uint32 :ref_id_domains
+      uint32 :maxEntries
+    end
+
+    class Lsapr_translated_name < BinData::Record
+      endian :little
+      uint32 :use
+      rpc_unicode_string :name
+      uint32 :domainIndex
+    end
+
+    class Lsapr_translated_names < BinData::Record
+      endian :little
+      uint32 :numberOfNames
+      uint32 :ref_id_names
+      uint32 :numberOfEntries, :value => :numberOfNames
+      array :names, :type => :lsapr_translated_name, :initial_length => :numberOfEntries
+      array :nameNdr, :type => :conformantandVaryingStrings, :initial_length => :numberOfEntries
+    end
+
+    class LsarLookupSidsRes < BinData::Record
+      endian :little
+      response :response
+      uint32 :ref_id_referencedDomains
+      lsapr_referenced_domain_list :referencedDomains
+      uint32 :numberOfEntries
+      lsapr_trust_information :domain
+      lsapr_translated_names :translatedNames
+      uint32 :mappedCount
+      uint32 :windowsError
+    end
+
+    def lookupSids(sid:)
+      lsarLookupSidsReq = LsarLookupSidsReq.new(handle:@policyHandle, sid:sid)
+      lsarLookupSidsRes = @file.ioctl_send_recv(lsarLookupSidsReq).buffer
+      lsarLookupSidsRes.raise_not_error_success("lookupSids")
+      lsarLookupSidsRes = LsarLookupSidsRes.read(lsarLookupSidsRes)
+      result = lsarLookupSidsRes.windowsError
+      result == 0? result : (raise "LsaLookupSids Fail, WinError: %i"%[result])
+      h = {}
+      h[:domain] = lsarLookupSidsRes.domain.name.str.unpack("v*").pack("c*")
+      h[:name] = lsarLookupSidsRes.translatedNames.nameNdr[0].str.unpack("v*").pack("c*")
+      h[:type] = lsarLookupSidsRes.translatedNames.names[0].use
+      return h
+    end
+
+end
+end

data/lib/smbRpc/lsarpc/openAccount.rb

@@ -0,0 +1,49 @@
+module SmbRpc
+  class Lsarpc < Rpc
+
+    attr_accessor :accountHandle
+
+    class LsarOpenAccountReq < BinData::Record
+      endian :little
+      request :request
+      string :policyHandle, :length => 20
+      uint32 :sub_auth, :value => lambda { accountSid.subAuthorityCount.value }
+      rpc_sid :accountSid
+      uint32 :desiredAccess
+
+      def initialize_instance
+        super
+        policyHandle.value = get_parameter(:handle)
+        desiredAccess.value = get_parameter(:access)
+        sid = get_parameter(:sid)
+        sidArray = sid.split("-")
+        subAuthorityCount = sidArray.size - 3
+        accountSid.revision.value = sidArray[1].to_i
+        accountSid.subAuthorityCount.value = subAuthorityCount
+        accountSid.identifierAuthority.value = [sidArray[2].to_i].pack("N").rjust(6, "\x00")
+        subAuthorityCount.times do |i|
+          accountSid.subAuthority[i] = sidArray[i + 3].to_i
+        end
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 17        #LsarOpenAccount
+      end
+    end
+
+    class LsarOpenAccountRes < BinData::Record
+      endian :little
+      response :response
+      string :accountHandle, :length => 20
+      uint32 :windowsError
+    end
+
+    def openAccount(desiredAccess:, sid:)
+      lsarOpenAccountReq = LsarOpenAccountReq.new(handle:@policyHandle, access:desiredAccess, sid:sid)
+      lsarOpenAccountRes = @file.ioctl_send_recv(lsarOpenAccountReq).buffer
+      lsarOpenAccountRes.raise_not_error_success("openAccount")
+      lsarOpenAccountRes = LsarOpenAccountRes.read(lsarOpenAccountRes)
+      @accountHandle = lsarOpenAccountRes.accountHandle
+      return self
+    end
+
+end
+end

data/lib/smbRpc/lsarpc/openPolicy.rb

@@ -0,0 +1,52 @@
+
+module SmbRpc
+  class Lsarpc < Rpc
+
+    attr_accessor :policyHandle
+
+    class Lsapr_object_attributes < BinData::Record
+      endian :little
+      uint32 :len
+      uint32 :rootDirectory
+      uint32 :objectName
+      uint32 :attributes
+      uint32 :securityDescriptor
+      uint32 :securityQualityOfService
+      def initialize_instance
+        super
+        len.value = self.num_bytes
+      end
+    end
+
+    class LsarOpenPolicy2Req < BinData::Record
+      endian :little
+      request :request
+      uint32 :systemName
+      lsapr_object_attributes :objectAttributes
+      uint32 :desiredAccess
+      def initialize_instance
+        super
+        desiredAccess.value = get_parameter(:accessMask)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 44        #LsarOpenPolicy2
+      end
+    end
+
+    class LsarOpenPolicy2Res < BinData::Record
+      endian :little
+      response :response
+      string :policyHandle, :length => 20
+      uint32 :windowsError
+    end
+
+    def openPolicy(desiredAccess:LSARPC_ALL_ACCESS_MASK["MAXIMUM_ALLOWED"])
+      lsarOpenPolicy2Req = LsarOpenPolicy2Req.new(accessMask:desiredAccess)
+      lsarOpenPolicy2Res = @file.ioctl_send_recv(lsarOpenPolicy2Req).buffer
+      lsarOpenPolicy2Res.raise_not_error_success("openPolicy")
+      lsarOpenPolicy2Res = LsarOpenPolicy2Res.read(lsarOpenPolicy2Res)
+      @policyHandle = lsarOpenPolicy2Res.policyHandle
+      return self
+    end
+
+end
+end

data/lib/smbRpc/lsarpc/queryInformationPolicy.rb

@@ -0,0 +1,92 @@
+
+
+module SmbRpc
+  class Lsarpc < Rpc
+
+    #[MS-DTYPE]
+    class Rpc_unicode_string < BinData::Record
+      endian :little
+      uint16 :len					#length in bytes, multiple of 2, not include null terminate
+      uint16 :maximumLength				#maxlength in bytes, multiple of 2, not less than length 
+							#If MaximumLength is greater than zero, the buffer MUST contain a non-null value
+      uint32 :ref_id_buffer, :initial_value => 1	#set null pointer if maximumLength == 0		
+    end
+
+    class Rpc_sid < BinData::Record
+      endian :little
+      uint8 :revision
+      uint8 :subAuthorityCount
+      string :identifierAuthority, :length => 6 
+      array :subAuthority, :type => :uint32, :initial_length => :subAuthorityCount
+
+      def to_s
+        sid = "S-%i"%[self.revision]
+        sid << "-%i"%[self.identifierAuthority.unpack("H*")[0].to_i(16)]
+        self.subAuthority.each { |i| sid << "-%i"%[i] }
+        return sid
+      end
+    end
+
+    class Lsapr_policy_dns_domain_info < BinData::Record
+      endian :little
+      rpc_unicode_string :name
+      rpc_unicode_string :dnsDomainName
+      rpc_unicode_string :dnsForestName
+      string :guid, :length => 16
+      uint32 :sid
+      conformantandVaryingStrings :nameNdr, :onlyif => lambda { name.maximumLength > 0 } 
+      conformantandVaryingStrings :dnsDomainNameNdr, :onlyif => lambda { dnsDomainName.maximumLength > 0 } 
+      conformantandVaryingStrings :dnsForestNameNdr, :onlyif => lambda { dnsForestName.maximumLength > 0 }
+    end
+
+    class LsarQueryInformationPolicy2Req < BinData::Record
+      endian :little
+      request :request
+      string :policyHandle, :length => 20
+      uint16 :informationClass
+
+      def initialize_instance
+        super
+        policyHandle.value = get_parameter(:handle)
+        informationClass.value = get_parameter(:infoClass)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 46        		#LsarQueryInformationPolicy2
+      end
+    end
+
+    class LsarQueryInformationPolicy2Res < BinData::Record
+      endian :little
+      response :response
+      uint32 :ref_id_policyInformation
+      uint32 :informationClass_tag
+
+      choice :policyInformation, :selection => lambda { get_parameter(:infoClass) } do
+        uint32 6					#enum _POLICY_LSA_SERVER_ROLE { PolicyServerRoleBackup = 2, PolicyServerRolePrimary}
+        lsapr_policy_dns_domain_info 12
+      end
+      uint32 :windowsError
+    end
+
+    def queryInformationPolicy(informationClass:LSARPC_POLICY_INFORMATION_CLASS["PolicyDnsDomainInformation"])
+      lsarQueryInformationPolicy2Req = LsarQueryInformationPolicy2Req.new(handle:@policyHandle, infoClass:informationClass)
+      response = @file.ioctl_send_recv(lsarQueryInformationPolicy2Req).buffer
+      response.raise_not_error_success("queryInformationPolicy")
+      lsarQueryInformationPolicy2Res = LsarQueryInformationPolicy2Res.new(infoClass:informationClass)
+      lsarQueryInformationPolicy2Res.read(response)
+      short = lsarQueryInformationPolicy2Res.policyInformation
+      out = {}
+      if informationClass == LSARPC_POLICY_INFORMATION_CLASS["PolicyDnsDomainInformation"]
+        out[:name] = short.nameNdr.str.unpack("v*").pack("c*") if short.name.len > 0
+        out[:dnsDomainName] = short.dnsDomainNameNdr.str.unpack("v*").pack("c*") if short.dnsDomainName.len > 0
+        out[:dnsForestName] = short.dnsForestNameNdr.str.unpack("v*").pack("c*") if short.dnsForestName.len > 0
+        out[:guid] = short.guid
+        out[:sid] = short.sid
+      end
+      if informationClass == LSARPC_POLICY_INFORMATION_CLASS["PolicyLsaServerRoleInformation"]
+        out[:policyServerRole] = short
+      end
+      return out
+    end
+
+end
+end