smbRpc 0.0.4 → 0.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7f3353d8440dbac0b159a906b9ddbeb6a7514a8061576badb2553871238bfc05
-  data.tar.gz: f2797f8e40083d8e93dfcd3751720a12c9e288dced2fb8cd754e1bb0b3b41091
+  metadata.gz: 300363413b5dcdb199df282c238b28340d5feb864c91f34d41624e3baa23c558
+  data.tar.gz: 3625981dfdca5e97929b3489eb678760e99e26f5766ca9c8e6aad07d1fc7f977
 SHA512:
-  metadata.gz: 4ebd5d9e565a097ff1c36221155fdc0047653e6e219eef73a10f28ac38aef59d51ab2dc70fbe724d121f6445ec339faf2ed1b10c9d634c8a7e571aee0ffe737d
-  data.tar.gz: 3b1a63cac8deadc5a81cd2173ff21914e9234db9fa02163c5a68967552cef11c9ba54caa847cfd76533c7bfec4e5d1b01a82ae89debdc765a963d49a8cd6a055
+  metadata.gz: 02043c408515bba0e8535bfe4d5cb5b11a50ce58dacf3cc6f2f6cf4fc4e8db0230787a7b5c98ece82974951998221b58740f92949fbf2c1d19e1a431a2515322
+  data.tar.gz: 956e2afdc2abd9bcb05ba98136c6ab11fb7ed83c20f68a4f4fd2047d02e6014db04c8dc3bc14b3828a51ed8395e480066fa88313df89fbd91bd5d996b171c254

data/README.md

@@ -1,11 +1,26 @@
-his is a Windows RPC over SMB namepipe library modeled over the ruby_smb library.
-All function names and arguments were written to closely reflct the originals MS documented specifications.
+This is a Windows RPC over SMB namepipe library modeled over the ruby_smb library.
+All function names and arguments were written to closely reflct the originals MS documented specifications.  So if you want to know how to use it, just read the respective MS name pipe protocol documentations, see what functions I have exposed, and read the respective function definition.  
+Example:
+To look up names in LSA; MS-LSAD and MS-LSAT would tell you to call openPolicy then lookUpNames.  If you look in the lsarpc folder you'll see both functions available.  All you have to do is read the function definition in the file and decide what arguments you want to pass in.
+
+lsarpc = SmbRpc::Lsarpc.new(ip:ip, user:user, pass:pass)
+
+policy = lsarpc.openPolicy
+
+p policy.lookupNames(name:"guest")
+
 Currently I have only exposed some functions to the following namepipes.  I'll be adding more as I continue developing this project.
 
-epmapper
-samr
-srvsvc
-svcctl
-lsarpc
+epmapper https://svn.nmap.org/nmap-exp/drazen/var/IDL/epmapper.idl?p=25000
+
+samr [MS-SAMR]
+
+srvsvc [MS-SRVS]
+
+svcctl [MS-SCMR]
+
+lsarpc [MS-LSAD] and [MS-LSAT]
+
+winreg [MS-RRP]
 
 Comments and suggestions are welcome, please email to rubysmbrpc@gmail.com

data/examples/regAdd.rb

@@ -0,0 +1,44 @@
+#!/usr/bin/ruby
+require"smbRpc"
+
+ip = "10.1.1.234"
+port = 445
+user = "admin"
+pass = "superSecret"
+key = "HKLM\\HARDWARE"
+
+splitKey = key.split("\\")
+rKey = splitKey[0].upcase
+sKey =  splitKey[1..-1].join("\\")
+
+newKey = "BLA"
+newValues = {
+  "sz" => [ WINREG_REG_VALUE_TYPE["REG_SZ"], "abcd\x00".bytes.pack("v*")],
+  "exp" => [ WINREG_REG_VALUE_TYPE["REG_EXPAND_SZ"], "System32\\Drivers\\ACPI.sys".bytes.pack("v*")],
+  "bin" => [ WINREG_REG_VALUE_TYPE["REG_BINARY"], "\x23\x56\xff\xde\xed\x56\x7c\x44"],
+  "dwle" => [ WINREG_REG_VALUE_TYPE["REG_DWORDLE"], "\x01\x00\x00\x00"],
+  "dwbe" => [ WINREG_REG_VALUE_TYPE["REG_DWORDBE"], "\x00\x00\x00\xff"],
+  "multi" => [ WINREG_REG_VALUE_TYPE["REG_MULTI_SZ"], "System32\x00Drivers\x00ACPI.sys\x00".bytes.pack("v*")],
+  "qw" => [ WINREG_REG_VALUE_TYPE["REG_QWORDLE"], [4096].pack("<q")]
+}
+
+rootKeys = { 
+"HKLM" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openLocalMachine, 
+"HKCU" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openCurrentUser,  
+"HKCR" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openClassesRoot, 
+"HKU" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openUsers, 
+"HKCC" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openCurrentConfig 
+}
+
+winreg = rootKeys[rKey].baseRegOpenKey(subKey:sKey)
+
+p WINREG_DISPOSITION.key(winreg.baseRegCreateKey(subKey:newKey).disposition)		#can not create key imediately under HKLM/HKU
+
+newValues.each do |k,v|
+  winreg.baseRegSetValue(valueName:k, type:v[0], data:v[1])
+  puts"%s\\%s => %s"%[key, k, v[1].inspect]
+end
+
+winreg.close
+
+

data/examples/regQuery.rb

@@ -0,0 +1,40 @@
+#!/usr/bin/ruby
+require"smbRpc"
+
+#regQuery.rb 10.1.1.245 admin seperSecret HkLm\\System\\CurrentControlset\\services\\ALG
+
+ip = ARGV[0]
+port = 445
+user = ARGV[1]
+pass = ARGV[2]
+#key = "HkLm\\System\\CurrentControlset\\services\\ALG"
+key = ARGV[3]
+puts"reading: %s\n\n"%[key]
+
+splitKey = key.split("\\")
+rKey = splitKey[0].upcase
+sKey =  splitKey[1..-1].join("\\")
+
+rootKeys = { 
+"HKLM" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openLocalMachine, 
+"HKCU" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openCurrentUser,  
+"HKCR" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openClassesRoot, 
+"HKU" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openUsers, 
+"HKCC" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openCurrentConfig 
+}
+
+winreg = rootKeys[rKey].baseRegOpenKey(subKey:sKey)
+
+keyInfo = winreg.baseRegQueryInfoKey
+keyInfo[:numberOfSubkeys].times do |i| 			#enum keys if subkeys count > 0
+  p winreg.baseRegEnumKey(index:i)
+end if keyInfo[:numberOfSubkeys] > 0
+
+keyInfo[:numberOfValues].times do |i| 			#enum values if values count > 0
+  h = winreg.baseRegEnumValue(index:i)
+  puts"%s : %i : %s"%[h[:valueName], h[:type], winreg.baseRegQueryValue(valueName:h[:valueName]).inspect]
+end if keyInfo[:numberOfValues] > 0
+
+winreg.close
+
+

data/examples/regSave.rb

@@ -0,0 +1,26 @@
+#!/usr/bin/ruby
+require"smbRpc"
+
+#regSave.rb 10.1.1.234 admin superSecret HkLm\\SAM C:\\sam
+ip = ARGV[0]
+port = 445
+user = ARGV[1]
+pass = ARGV[2]
+key = ARGV[3]
+file = ARGV[4]
+
+splitKey = key.split("\\")
+rKey = splitKey[0].upcase
+sKey =  splitKey[1..-1].join("\\")
+
+rootKeys = { 
+"HKLM" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openLocalMachine, 
+"HKCU" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openCurrentUser,  
+"HKCR" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openClassesRoot, 
+"HKU" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openUsers, 
+"HKCC" =>  SmbRpc::Winreg.new(ip:ip, user:user, pass:pass).openCurrentConfig 
+}
+
+winreg = rootKeys[rKey].baseRegOpenKey(subKey:sKey).baseRegSaveKey(file:file).close
+puts"%s \nsaved to\n %s"%[key, file]
+

data/lib/smbRpc.rb

@@ -3,7 +3,6 @@ require"ruby_smb"
 require"bindata"
 require"windows_error/win32"
 require"smbhash"			#nice little library to make Lm/NTLM hash
-#require"windows_error/nt_status"	#already loaded by ruby_smb
 
 #$:.unshift(File.expand_path('.',__dir__))
 require"smbRpc/rpc"
@@ -12,22 +11,6 @@ require"smbRpc/svcctl"
 require"smbRpc/lsarpc"
 require"smbRpc/epmapper"
 require"smbRpc/samr"
+require"smbRpc/winreg"
 require"smbRpc/updateRuby_smb"
 require"smbRpc/updateString"
-
-#require"rpc_packet"
-#require"endpoints"
-#require"constants"
-#require"ndrep"
-#require"srvsvc_packet"
-#require"svcctl_packet"
-
-#require_relative"endpoints"
-#require_relative"constants"
-#require_relative"ndrep"
-#require_relative"rpc"
-#require_relative"rpc_packet"
-#require_relative"srvsvc"
-#require_relative"srvsvc_packet"
-#require_relative"svcctl"
-#require_relative"svcctl_packet"

data/lib/smbRpc/rpc/endpoints.rb

@@ -25,6 +25,11 @@ module SmbRpc
       VER_MAJOR = 1
       VER_MINOR = 0
     end
+    module Winreg
+      UUID = '338CD001-2244-31F1-AAAA-900038001003'
+      VER_MAJOR = 1
+      VER_MINOR = 0
+    end
   end
 end
 
@@ -33,6 +38,6 @@ ENDPOINT = {
   "svcctl" => SmbRpc::Endpoint::Svcctl,
   "lsarpc" => SmbRpc::Endpoint::Lsarpc,
   "epmapper" => SmbRpc::Endpoint::Epmapper,
-  "samr" => SmbRpc::Endpoint::Samr
+  "samr" => SmbRpc::Endpoint::Samr,
+  "winreg" => SmbRpc::Endpoint::Winreg
 }
-

data/lib/smbRpc/winreg.rb

@@ -0,0 +1,27 @@
+require"smbRpc/winreg/constants"
+require"smbRpc/winreg/openLocalMachine"
+require"smbRpc/winreg/baseRegOpenKey"
+require"smbRpc/winreg/baseRegQueryValue"
+require"smbRpc/winreg/baseRegCloseKey"
+require"smbRpc/winreg/baseRegEnumKey"
+require"smbRpc/winreg/baseRegQueryInfoKey"
+require"smbRpc/winreg/baseRegEnumValue"
+require"smbRpc/winreg/openClassesRoot"
+require"smbRpc/winreg/openCurrentUser"
+require"smbRpc/winreg/openUsers"
+require"smbRpc/winreg/openCurrentConfig"
+require"smbRpc/winreg/baseRegCreateKey"
+require"smbRpc/winreg/baseRegSetValue"
+require"smbRpc/winreg/baseRegDeleteValue"
+require"smbRpc/winreg/baseRegDeleteKey"
+require"smbRpc/winreg/baseRegSaveKey"
+
+module SmbRpc
+  class Winreg < Rpc
+    def initialize(**argv)
+      super(argv)
+      self.connect
+      self.bind(pipe:"winreg")
+    end
+end
+end

data/lib/smbRpc/winreg/baseRegCloseKey.rb

@@ -0,0 +1,50 @@
+
+module SmbRpc
+  class Winreg < Rpc
+
+    class BaseRegCloseKeyReq < BinData::Record
+      endian :little
+      request :request
+      string :hKey, :length => 20
+      def initialize_instance
+        super
+        hKey.value = get_parameter(:handle)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 5        #BaseRegCloseKey
+      end
+    end
+
+    class BaseRegCloseKeyRes < BinData::Record
+      endian :little
+      request :request
+      string :hKey, :length => 20
+      uint32 :windowsError
+    end
+
+    def closeRootKey()
+      if !@rootKeyHandle.nil?
+        baseRegCloseKeyReq = BaseRegCloseKeyReq.new(handle:@rootKeyHandle)
+        baseRegCloseKeyRes = @file.ioctl_send_recv(baseRegCloseKeyReq).buffer
+        baseRegCloseKeyRes.raise_not_error_success("closeRootKey")
+        baseRegCloseKeyRes = BaseRegCloseKeyRes.read(baseRegCloseKeyRes)
+        @rootKeyHandle = nil
+      end
+    end
+
+    def closeSubKey()
+      if !@subKeyHandle.nil?
+        baseRegCloseKeyReq = BaseRegCloseKeyReq.new(handle:@subKeyHandle)
+        baseRegCloseKeyRes = @file.ioctl_send_recv(baseRegCloseKeyReq).buffer
+        baseRegCloseKeyRes.raise_not_error_success("closeSubKey")
+        baseRegCloseKeyRes = BaseRegCloseKeyRes.read(baseRegCloseKeyRes)
+        @subKeyHandle = nil
+      end
+    end
+
+    def close()
+      closeSubKey()
+      closeRootKey()
+      super
+    end
+end
+end

data/lib/smbRpc/winreg/baseRegCreateKey.rb

@@ -0,0 +1,58 @@
+module SmbRpc
+  class Winreg < Rpc
+    attr_reader :disposition
+
+    class BaseRegCreateKeyReq < BinData::Record
+      endian :little
+      request :request
+      string :hKey, :length => 20
+      rpc_unicode_string :lpSubKey
+      conformantandVaryingStrings :lpSubKeyNdr
+      rpc_unicode_string :lpClass
+      uint32 :dwOptions
+      uint32 :samDesired
+      uint32 :lpSecurityAttributes
+      uint32 :ref_id_lpdwDisposition, :initial_value => 1
+      uint32 :lpdwDisposition
+      
+      def initialize_instance
+        super
+        hKey.value = get_parameter(:handle)
+        uniString = "#{get_parameter(:name)}\x00".bytes.pack("v*")
+        lpSubKey.len.value = uniString.bytesize
+        lpSubKey.maximumLength.value = uniString.bytesize
+        lpSubKeyNdr.str.value = uniString
+        lpClass.len.value = 0
+        lpClass.maximumLength.value = 0
+        lpClass.ref_id_buffer.value = 0
+        dwOptions.value = get_parameter(:options)
+        samDesired.value = get_parameter(:desired)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 6        #BaseRegCreateKey
+      end
+    end
+
+    class BaseRegCreateKeyRes < BinData::Record
+      endian :little
+      request :request
+      string :phkResult, :length => 20      
+      uint32 :ref_id_lpdwDisposition
+      uint32 :lpdwDisposition
+      uint32 :windowsError
+    end
+
+    #https://msdn.microsoft.com/en-us/library/cc244922.aspx
+    #can not create remote key imediately under HKLM/HKU, will get ERROR_INVALID_PARAMETER
+    def baseRegCreateKey(subKey:, samDesired:WINREG_REGSAM["MAXIMUM_ALLOWED"], options:WINREG_OPTIONS["NONE"])
+      baseRegCreateKeyReq = BaseRegCreateKeyReq.new(handle:(@subKeyHandle || @rootKeyHandle), name:subKey, desired:samDesired, options:options)
+      baseRegCreateKeyRes = @file.ioctl_send_recv(baseRegCreateKeyReq).buffer
+      baseRegCreateKeyRes.raise_not_error_success("baseRegCreateKey")
+      baseRegCreateKeyRes = BaseRegCreateKeyRes.read(baseRegCreateKeyRes)
+      @disposition = baseRegCreateKeyRes.lpdwDisposition
+      @subKeyHandle = baseRegCreateKeyRes.phkResult
+      return self
+    end
+
+end
+end
+

data/lib/smbRpc/winreg/baseRegDeleteKey.rb

@@ -0,0 +1,38 @@
+module SmbRpc
+  class Winreg < Rpc
+
+    class BaseRegDeleteKeyReq < BinData::Record
+      endian :little
+      request :request
+      string :hKey, :length => 20
+      rpc_unicode_string :lpSubKey
+      conformantandVaryingStrings :lpSubKeyNdr
+
+      def initialize_instance
+        super
+        hKey.value = get_parameter(:handle)
+        uniString = "#{get_parameter(:subKey)}\x00".bytes.pack("v*")
+        lpSubKey.len.value = uniString.bytesize
+        lpSubKey.maximumLength.value = uniString.bytesize
+        lpSubKeyNdr.str.value = uniString
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 7        #BaseRegDeleteKey
+      end
+    end
+
+    class BaseRegDeleteKeyRes < BinData::Record
+      endian :little
+      request :request
+      uint32 :windowsError
+    end
+
+    def baseRegDeleteKey(subKey:)
+      baseRegDeleteKeyReq = BaseRegDeleteKeyReq.new(handle:@subKeyHandle, subKey:subKey)
+      baseRegDeleteKeyRes = @file.ioctl_send_recv(baseRegDeleteKeyReq).buffer
+      baseRegDeleteKeyRes.raise_not_error_success("baseRegDeleteKey")
+      return self
+    end
+
+end
+end
+

data/lib/smbRpc/winreg/baseRegDeleteValue.rb

@@ -0,0 +1,38 @@
+module SmbRpc
+  class Winreg < Rpc
+
+    class BaseRegDeleteValueReq < BinData::Record
+      endian :little
+      request :request
+      string :hKey, :length => 20
+      rpc_unicode_string :lpValueName
+      conformantandVaryingStrings :lpValueNameNdr
+
+      def initialize_instance
+        super
+        hKey.value = get_parameter(:handle)
+        uniString = "#{get_parameter(:valueName)}\x00".bytes.pack("v*")
+        lpValueName.len.value = uniString.bytesize
+        lpValueName.maximumLength.value = uniString.bytesize
+        lpValueNameNdr.str.value = uniString
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 8        #BaseRegDeleteValue
+      end
+    end
+
+    class BaseRegDeleteValueRes < BinData::Record
+      endian :little
+      request :request
+      uint32 :windowsError
+    end
+
+    def baseRegDeleteValue(valueName:)
+      baseRegDeleteValueReq = BaseRegDeleteValueReq.new(handle:(@subKeyHandle || @rootKeyHandle), valueName:valueName)
+      baseRegDeleteValueRes = @file.ioctl_send_recv(baseRegDeleteValueReq).buffer
+      baseRegDeleteValueRes.raise_not_error_success("baseRegDeleteValue")
+      return self
+    end
+
+end
+end
+

data/lib/smbRpc/winreg/baseRegEnumKey.rb

@@ -0,0 +1,53 @@
+module SmbRpc
+  class Winreg < Rpc
+
+    class BaseRegEnumKeyReq < BinData::Record
+      endian :little
+      request :request
+      string :hKey, :length => 20
+
+      uint32 :dwIndex
+      rpc_unicode_string :lpNameIn
+      uint32 :ref_id_lpClassIn, :value => 1
+      rpc_unicode_string :lpClassIn
+      uint32 :lpftLastWriteTime
+
+      def initialize_instance
+        super
+        hKey.value = get_parameter(:handle)
+        dwIndex.value = get_parameter(:index)
+        lpNameIn.len.value = 0
+        lpNameIn.maximumLength.value = 0x1000
+        lpNameIn.ref_id_buffer.value = 0
+        lpClassIn.len.value = 0
+        lpClassIn.maximumLength.value = 0x1000
+        lpClassIn.ref_id_buffer.value = 0
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 9        #BaseRegEnumKey
+      end
+    end
+
+    class BaseRegEnumKeyRes < BinData::Record
+      endian :little
+      request :request
+
+      rpc_unicode_string :lpNameOut
+      conformantandVaryingStrings :lpNameOutNdr
+      rpc_unicode_string :lplpClassOut
+      uint32 :lpftLastWriteTime
+
+      uint32 :windowsError
+    end
+
+    def baseRegEnumKey(index:)
+      baseRegEnumKeyReq = BaseRegEnumKeyReq.new(handle:(@subKeyHandle || @rootKeyHandle), index:index)
+      baseRegEnumKeyRes = @file.ioctl_send_recv(baseRegEnumKeyReq).buffer
+      baseRegEnumKeyRes.raise_not_error_success("baseRegEnumKey")
+      baseRegEnumKeyRes = BaseRegEnumKeyRes.read(baseRegEnumKeyRes)
+      out = baseRegEnumKeyRes.lpNameOutNdr.str.unpack("v*").pack("c*")
+      return out.chop if out[-1] == "\x00"
+    end
+
+end
+end
+

data/lib/smbRpc/winreg/baseRegEnumValue.rb

@@ -0,0 +1,57 @@
+module SmbRpc
+  class Winreg < Rpc
+
+    class BaseRegEnumValueReq < BinData::Record
+      endian :little
+      request :request
+      string :hKey, :length => 20
+      uint32 :dwIndex
+      rpc_unicode_string :lpValueNameIn
+      conformantandVaryingStrings :lpValueNameInNdr
+      uint32 :ref_id_lpType, :value => 1
+      uint32 :lpType
+      uint32 :ref_id_lpData, :initial_value => 0
+      uint32 :ref_id_lpcbData, :initial_value => 0
+      uint32 :ref_id_lpcbLen, :initial_value => 0
+
+      def initialize_instance
+        super
+        hKey.value = get_parameter(:handle)
+        dwIndex.value = get_parameter(:index)
+        #https://support.microsoft.com/en-us/help/256986/windows-registry-information-for-advanced-users
+        maxValueNameLen = 0x100
+        lpValueNameIn.len.value = maxValueNameLen
+        lpValueNameIn.maximumLength.value = maxValueNameLen
+        lpValueNameInNdr.str = "\x00" * maxValueNameLen		#this is so weird :_
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 10        #BaseRegEnumValue
+      end
+    end
+
+    class BaseRegEnumValueRes < BinData::Record
+      endian :little
+      request :request
+      rpc_unicode_string :lpValueNameOut
+      conformantandVaryingStrings :lpValueNameOutNdr
+      uint32 :ref_id_lpType, :value => 1
+      uint32 :lpType
+      uint32 :lpData
+      uint32 :lpcbData
+      uint32 :lpcbLen
+      uint32 :windowsError
+    end
+
+    def baseRegEnumValue(index:)
+      baseRegEnumValueReq = BaseRegEnumValueReq.new(handle:(@subKeyHandle || @rootKeyHandle), index:index)
+      baseRegEnumValueRes = @file.ioctl_send_recv(baseRegEnumValueReq).buffer
+      baseRegEnumValueRes.raise_not_error_success("baseRegEnumValue")
+      baseRegEnumValueRes = BaseRegEnumValueRes.read(baseRegEnumValueRes)
+      valueName = baseRegEnumValueRes.lpValueNameOutNdr.str.unpack("v*").pack("c*").chop
+      return { :valueName => valueName,
+               :type => baseRegEnumValueRes.lpType.to_i
+      }
+    end
+
+end
+end
+

data/lib/smbRpc/winreg/baseRegOpenKey.rb

@@ -0,0 +1,47 @@
+module SmbRpc
+  class Winreg < Rpc
+
+    attr_accessor :subKeyHandle
+
+    class BaseRegOpenKeyReq < BinData::Record
+      endian :little
+      request :request
+      string :hKey, :length => 20
+      rpc_unicode_string :lpSubKey
+      conformantandVaryingStrings :lpSubKeyNdr
+      uint32 :dwOptions
+      uint32 :samDesired
+
+      def initialize_instance
+        super
+        hKey.value = get_parameter(:handle)
+        uniString = "#{get_parameter(:subKey)}\x00".bytes.pack("v*")
+        lpSubKey.len.value = uniString.bytesize
+        lpSubKey.maximumLength.value = uniString.bytesize
+        lpSubKeyNdr.str.value = uniString
+        dwOptions.value = get_parameter(:options)
+        samDesired.value = get_parameter(:desired)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 15        #BaseRegOpenKey
+      end
+    end
+
+    class BaseRegOpenKeyRes < BinData::Record
+      endian :little
+      request :request
+      string :phkResult, :length => 20
+      uint32 :windowsError
+    end
+
+    def baseRegOpenKey(subKey:, samDesired:WINREG_REGSAM["MAXIMUM_ALLOWED"], options:WINREG_OPTIONS["NONE"])
+      baseRegOpenKeyReq = BaseRegOpenKeyReq.new(handle:@rootKeyHandle, subKey:subKey, desired:samDesired, options:options)
+      baseRegOpenKeyRes = @file.ioctl_send_recv(baseRegOpenKeyReq).buffer
+      baseRegOpenKeyRes.raise_not_error_success("baseRegOpenKey")
+      baseRegOpenKeyRes = BaseRegOpenKeyRes.read(baseRegOpenKeyRes)
+      @subKeyHandle = baseRegOpenKeyRes.phkResult
+      return self
+    end
+
+end
+end
+

data/lib/smbRpc/winreg/baseRegQueryInfoKey.rb

@@ -0,0 +1,56 @@
+module SmbRpc
+  class Winreg < Rpc
+
+    class BaseRegQueryInfoKeyReq < BinData::Record
+      endian :little
+      request :request
+      string :hKey, :length => 20
+      rpc_unicode_string :lpClassIn
+
+      def initialize_instance
+        super
+        hKey.value = get_parameter(:handle)
+        lpClassIn.len.value = 0
+        lpClassIn.maximumLength.value = 0x1000
+        lpClassIn.ref_id_buffer.value = 0
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 16        #BaseRegQueryInfoKey
+      end
+    end
+
+    class BaseRegQueryInfoKeyRes < BinData::Record
+      endian :little
+      request :request
+      rpc_unicode_string :lpClassOut
+      conformantandVaryingStrings :lpClassOutNdr
+      uint32 :lpcSubKeys
+      uint32 :lpcbMaxSubKeyLen
+      uint32 :lpcbMaxClassLen
+      uint32 :lpcValues
+      uint32 :lpcbMaxValueNameLen
+      uint32 :lpcbMaxValueLen
+      uint32 :lpcbSecurityDescriptor
+      uint64 :lpftLastWriteTime
+      uint32 :windowsError
+    end
+
+    def baseRegQueryInfoKey
+      baseRegQueryInfoKeyReq = BaseRegQueryInfoKeyReq.new(handle:(@subKeyHandle || @rootKeyHandle))
+      baseRegQueryInfoKeyRes = @file.ioctl_send_recv(baseRegQueryInfoKeyReq).buffer
+      baseRegQueryInfoKeyRes.raise_not_error_success("baseRegQueryInfoKey")
+      baseRegQueryInfoKeyRes = BaseRegQueryInfoKeyRes.read(baseRegQueryInfoKeyRes)
+      k = baseRegQueryInfoKeyRes
+      return { :numberOfSubkeys => k.lpcSubKeys,
+               :maxSubkeySize => k.lpcbMaxSubKeyLen,
+               :maxClassSize => k.lpcbMaxClassLen,
+               :numberOfValues => k.lpcValues,
+               :maxValueNameSize => k.lpcbMaxValueNameLen,
+               :maxValueSize => k.lpcbMaxValueLen,
+               :securityDescriptorSize => k.lpcbSecurityDescriptor,
+               :lastWriteTime => k.lpftLastWriteTime
+      }
+    end
+
+end
+end
+

data/lib/smbRpc/winreg/baseRegQueryValue.rb

@@ -0,0 +1,81 @@
+module SmbRpc
+  class Winreg < Rpc
+
+    class BaseRegQueryValueReq < BinData::Record
+      endian :little
+      request :request
+      string :hKey, :length => 20
+      rpc_unicode_string :lpValueName
+      conformantandVaryingStrings :lpValueNameNdr
+      uint32 :ref_id_lpType, :value => 1
+      uint32 :lpType
+      uint32 :ref_id_lpData, :initial_value => 1
+      conformantandVaryingStringsAscii :lpData
+      uint32 :ref_id_lpcbData, :initial_value => 1
+      uint32 :lpcbData
+      uint32 :ref_id_lpcbLen, :initial_value => 1
+      uint32 :lpcbLen
+
+      def initialize_instance
+        super
+
+        hKey.value = get_parameter(:handle)
+        uniString = "#{get_parameter(:vName)}\x00".bytes.pack("v*")
+        lpValueName.len.value = uniString.bytesize
+        lpValueName.maximumLength.value = uniString.bytesize
+        lpValueNameNdr.str.value = uniString
+        lpType.value = get_parameter(:type)
+        lpData.str = ""
+        lpData.max_count.value = 0x1000
+
+        lpcbData.value = 0x1000
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 17        #BaseRegQueryValue
+      end
+    end
+
+    class BaseRegQueryValueRes < BinData::Record
+      endian :little
+      request :request
+      uint32 :ref_id_lpType
+      uint32 :lpType
+      uint32 :ref_id_lpData
+      conformantandVaryingStringsAscii :lpData
+      uint32 :ref_id_lpcbData
+      uint32 :lpcbData
+      uint32 :ref_id_lpcbLen
+      uint32 :lpcbLen
+
+      uint32 :windowsError
+    end
+
+    def baseRegQueryValue(valueName:, type:WINREG_REG_VALUE_TYPE["UNDEF"])
+      baseRegQueryValueReq = BaseRegQueryValueReq.new(handle:(@subKeyHandle || @rootKeyHandle), vName:valueName, type:type)
+      baseRegQueryValueRes = @file.ioctl_send_recv(baseRegQueryValueReq).buffer
+      baseRegQueryValueRes.raise_not_error_success("baseRegQueryValue")
+      baseRegQueryValueRes = BaseRegQueryValueRes.read(baseRegQueryValueRes)
+      type = baseRegQueryValueRes.lpType
+      data = baseRegQueryValueRes.lpData.str
+      case type
+        when 0
+          return data
+        when 1
+          return data.unpack("v*").pack("c*").chop
+        when 2
+          return data.unpack("v*").pack("c*").chop
+        when 3
+          return data
+        when 4
+          return data.unpack("V")[0]
+        when 5
+          return data.unpack("N")[0] 
+        when 7
+          return data.unpack("v*").pack("c*").split("\x00")
+        when 11
+          return data.unpack("Q<")[0]
+      end
+    end
+
+end
+end
+

data/lib/smbRpc/winreg/baseRegSaveKey.rb

@@ -0,0 +1,39 @@
+module SmbRpc
+  class Winreg < Rpc
+
+    class BaseRegSaveKeyReq < BinData::Record
+      endian :little
+      request :request
+      string :hKey, :length => 20
+      rpc_unicode_string :lpFile
+      conformantandVaryingStrings :lpFileNdr
+      uint32 :pSecurityAttributes
+
+      def initialize_instance
+        super
+        hKey.value = get_parameter(:handle)
+        uniString = "#{get_parameter(:file)}\x00".bytes.pack("v*")
+        lpFile.len.value = uniString.bytesize
+        lpFile.maximumLength.value = uniString.bytesize
+        lpFileNdr.str.value = uniString
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 20        #BaseRegSaveKey
+      end
+    end
+
+    class BaseRegSaveKeyRes < BinData::Record
+      endian :little
+      request :request
+      uint32 :windowsError
+    end
+
+    def baseRegSaveKey(file:)
+      baseRegSaveKeyReq = BaseRegSaveKeyReq.new(handle:(@subKeyHandle || @rootKeyHandle), file:file)
+      baseRegSaveKeyRes = @file.ioctl_send_recv(baseRegSaveKeyReq).buffer
+      baseRegSaveKeyRes.raise_not_error_success("baseRegSaveKey")
+      return self
+    end
+
+end
+end
+

data/lib/smbRpc/winreg/baseRegSetValue.rb

@@ -0,0 +1,46 @@
+module SmbRpc
+  class Winreg < Rpc
+
+    class BaseRegSetValueReq < BinData::Record
+      endian :little
+      request :request
+      string :hKey, :length => 20
+      rpc_unicode_string :lpValueName
+      conformantandVaryingStrings :lpValueNameNdr
+      uint32 :dwType
+      uint32 :maxCount, :value => lambda{ lpData.num_bytes }
+      string :lpData, :read_length => :maxCount
+      #pad to 4 bytes align per RPC spec
+      string :pad, :onlyif => lambda{ (maxCount.value % 4) > 0}, :length => lambda { (4 - (maxCount % 4)) % 4 }
+      uint32 :cbData, :value => :maxCount
+
+      def initialize_instance
+        super
+        hKey.value = get_parameter(:handle)
+        uniString = "#{get_parameter(:valueName)}\x00".bytes.pack("v*")
+        lpValueName.len.value = uniString.bytesize
+        lpValueName.maximumLength.value = uniString.bytesize
+        lpValueNameNdr.str.value = uniString
+        dwType.value = get_parameter(:type)
+        lpData.value = get_parameter(:data)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 22        #BaseRegSetValue
+      end
+    end
+
+    class BaseRegSetValueRes < BinData::Record
+      endian :little
+      request :request
+      uint32 :windowsError
+    end
+
+    def baseRegSetValue(valueName:, type:, data:)
+      baseRegSetValueReq = BaseRegSetValueReq.new(handle:(@subKeyHandle || @rootKeyHandle), valueName:valueName, type:type, data:data)
+      baseRegSetValueRes = @file.ioctl_send_recv(baseRegSetValueReq).buffer
+      baseRegSetValueRes.raise_not_error_success("baseRegSetValue")
+      return self
+    end
+
+end
+end
+

data/lib/smbRpc/winreg/constants.rb

@@ -0,0 +1,33 @@
+WINREG_REGSAM = {
+  "KEY_QUERY_VALUE" => 0x00000001,
+  "KEY_SET_VALUE" => 0x00000002,
+  "KEY_CREATE_SUB_KEY" => 0x00000004,
+  "KEY_ENUMERATE_SUB_KEYS" => 0x00000008,
+  "KEY_CREATE_LINK" => 0x00000020,
+  "KEY_WOW64_64KEY" => 0x00000100,
+  "KEY_WOW64_32KEY" => 0x00000200,
+  "MAXIMUM_ALLOWED" => 0x02000000
+}
+
+WINREG_OPTIONS = {
+  "NONE" => 0x00000000,
+  "REG_OPTION_BACKUP_RESTORE" => 0x00000004,
+  "REG_OPTION_OPEN_LINK" => 0x00000008,
+  "REG_OPTION_DONT_VIRTUALIZE" => 0x00000010
+}
+
+WINREG_REG_VALUE_TYPE = {
+  "UNDEF" => 0,
+  "REG_SZ" => 1,
+  "REG_EXPAND_SZ" => 2,
+  "REG_BINARY" => 3,
+  "REG_DWORDLE" => 4,
+  "REG_DWORDBE" => 5,
+  "REG_MULTI_SZ" => 7,
+  "REG_QWORDLE" => 11
+}
+
+WINREG_DISPOSITION = {
+  "REG_CREATED_NEW_KEY" => 0x00000001,
+  "REG_OPENED_EXISTING_KEY" => 0x00000002
+}

data/lib/smbRpc/winreg/openClassesRoot.rb

@@ -0,0 +1,37 @@
+module SmbRpc
+  class Winreg < Rpc
+
+    class OpenClassesRootReq < BinData::Record
+      endian :little
+      request :request
+      uint32 :serverName
+      uint32 :samDesired
+
+      def initialize_instance
+        super
+        samDesired.value = get_parameter(:access)
+
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 0        #OpenClassesRoot
+      end
+    end
+
+    class OpenClassesRootRes < BinData::Record
+      endian :little
+      request :request
+      string :phKey, :length => 20
+      uint32 :windowsError
+    end
+
+    def openClassesRoot(samDesired:WINREG_REGSAM["MAXIMUM_ALLOWED"])
+      openClassesRootReq = OpenClassesRootReq.new(access:samDesired)
+      openClassesRootRes = @file.ioctl_send_recv(openClassesRootReq).buffer
+      openClassesRootRes.raise_not_error_success("openClassesRoot")
+      openClassesRootRes = OpenClassesRootRes.read(openClassesRootRes)
+      @rootKeyHandle = openClassesRootRes.phKey
+      return self
+    end
+
+end
+end
+

data/lib/smbRpc/winreg/openCurrentConfig.rb

@@ -0,0 +1,37 @@
+module SmbRpc
+  class Winreg < Rpc
+
+    class OpenCurrentConfigReq < BinData::Record
+      endian :little
+      request :request
+      uint32 :serverName
+      uint32 :samDesired
+
+      def initialize_instance
+        super
+        samDesired.value = get_parameter(:access)
+
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 27        #OpenCurrentConfig
+      end
+    end
+
+    class OpenCurrentConfigRes < BinData::Record
+      endian :little
+      request :request
+      string :phKey, :length => 20
+      uint32 :windowsError
+    end
+
+    def openCurrentConfig(samDesired:WINREG_REGSAM["MAXIMUM_ALLOWED"])
+      openCurrentConfigReq = OpenCurrentConfigReq.new(access:samDesired)
+      openCurrentConfigRes = @file.ioctl_send_recv(openCurrentConfigReq).buffer
+      openCurrentConfigRes.raise_not_error_success("openCurrentConfig")
+      openCurrentConfigRes = OpenCurrentConfigRes.read(openCurrentConfigRes)
+      @rootKeyHandle = openCurrentConfigRes.phKey
+      return self
+    end
+
+end
+end
+

data/lib/smbRpc/winreg/openCurrentUser.rb

@@ -0,0 +1,37 @@
+module SmbRpc
+  class Winreg < Rpc
+
+    class OpenCurrentUserReq < BinData::Record
+      endian :little
+      request :request
+      uint32 :serverName
+      uint32 :samDesired
+
+      def initialize_instance
+        super
+        samDesired.value = get_parameter(:access)
+
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 1        #OpenCurrentUser
+      end
+    end
+
+    class OpenCurrentUserRes < BinData::Record
+      endian :little
+      request :request
+      string :phKey, :length => 20
+      uint32 :windowsError
+    end
+
+    def openCurrentUser(samDesired:WINREG_REGSAM["MAXIMUM_ALLOWED"])
+      openCurrentUserReq = OpenCurrentUserReq.new(access:samDesired)
+      openCurrentUserRes = @file.ioctl_send_recv(openCurrentUserReq).buffer
+      openCurrentUserRes.raise_not_error_success("openCurrentUser")
+      openCurrentUserRes = OpenCurrentUserRes.read(openCurrentUserRes)
+      @rootKeyHandle = openCurrentUserRes.phKey
+      return self
+    end
+
+end
+end
+

data/lib/smbRpc/winreg/openLocalMachine.rb

@@ -0,0 +1,37 @@
+module SmbRpc
+  class Winreg < Rpc
+
+    class OpenLocalMachineReq < BinData::Record
+      endian :little
+      request :request
+      uint32 :serverName
+      uint32 :samDesired
+
+      def initialize_instance
+        super
+        samDesired.value = get_parameter(:access)
+
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 2        #OpenLocalMachine
+      end
+    end
+
+    class OpenLocalMachineRes < BinData::Record
+      endian :little
+      request :request
+      string :phKey, :length => 20
+      uint32 :windowsError
+    end
+
+    def openLocalMachine(samDesired:WINREG_REGSAM["MAXIMUM_ALLOWED"])
+      openLocalMachineReq = OpenLocalMachineReq.new(access:samDesired)
+      openLocalMachineRes = @file.ioctl_send_recv(openLocalMachineReq).buffer
+      openLocalMachineRes.raise_not_error_success("openLocalMachine")
+      openLocalMachineRes = OpenLocalMachineRes.read(openLocalMachineRes)
+      @rootKeyHandle = openLocalMachineRes.phKey
+      return self
+    end
+
+end
+end
+

data/lib/smbRpc/winreg/openUsers.rb

@@ -0,0 +1,37 @@
+module SmbRpc
+  class Winreg < Rpc
+
+    class OpenUsersReq < BinData::Record
+      endian :little
+      request :request
+      uint32 :serverName
+      uint32 :samDesired
+
+      def initialize_instance
+        super
+        samDesired.value = get_parameter(:access)
+
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 4        #OpenUsers
+      end
+    end
+
+    class OpenUsersRes < BinData::Record
+      endian :little
+      request :request
+      string :phKey, :length => 20
+      uint32 :windowsError
+    end
+
+    def openUsers(samDesired:WINREG_REGSAM["MAXIMUM_ALLOWED"])
+      openUsersReq = OpenUsersReq.new(access:samDesired)
+      openUsersRes = @file.ioctl_send_recv(openUsersReq).buffer
+      openUsersRes.raise_not_error_success("openUsers")
+      openUsersRes = OpenUsersRes.read(openUsersRes)
+      @rootKeyHandle = openUsersRes.phKey
+      return self
+    end
+
+end
+end
+

data/smbRpc.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
   s.name        = 'smbRpc'
-  s.version     = '0.0.4'
-  s.date        = '2019-01-24'
+  s.version     = '0.0.5'
+  s.date        = '2019-02-09'
   s.summary     = "Interface to various Windows RPC services over SMB namepipes"
   s.description = "As describe in summary"
   s.authors     = ["Rungsree Singholka"]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smbRpc
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
 platform: ruby
 authors:
 - Rungsree Singholka
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-24 00:00:00.000000000 Z
+date: 2019-02-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby_smb
@@ -49,6 +49,9 @@ files:
 - examples/enumServices.rb
 - examples/enumSmbPipe.rb
 - examples/enumUsers.rb
+- examples/regAdd.rb
+- examples/regQuery.rb
+- examples/regSave.rb
 - examples/serverGetInfo.rb
 - lib/smbRpc.rb
 - lib/smbRpc/epmapper.rb
@@ -123,6 +126,24 @@ files:
 - lib/smbRpc/updateString.rb
 - lib/smbRpc/updateString/raise_not_error_success.rb
 - lib/smbRpc/updateString/to_des_ecb_lm.rb
+- lib/smbRpc/winreg.rb
+- lib/smbRpc/winreg/baseRegCloseKey.rb
+- lib/smbRpc/winreg/baseRegCreateKey.rb
+- lib/smbRpc/winreg/baseRegDeleteKey.rb
+- lib/smbRpc/winreg/baseRegDeleteValue.rb
+- lib/smbRpc/winreg/baseRegEnumKey.rb
+- lib/smbRpc/winreg/baseRegEnumValue.rb
+- lib/smbRpc/winreg/baseRegOpenKey.rb
+- lib/smbRpc/winreg/baseRegQueryInfoKey.rb
+- lib/smbRpc/winreg/baseRegQueryValue.rb
+- lib/smbRpc/winreg/baseRegSaveKey.rb
+- lib/smbRpc/winreg/baseRegSetValue.rb
+- lib/smbRpc/winreg/constants.rb
+- lib/smbRpc/winreg/openClassesRoot.rb
+- lib/smbRpc/winreg/openCurrentConfig.rb
+- lib/smbRpc/winreg/openCurrentUser.rb
+- lib/smbRpc/winreg/openLocalMachine.rb
+- lib/smbRpc/winreg/openUsers.rb
 - smbRpc.gemspec
 homepage: https://github.com/smbRpc/smbRpc
 licenses: