Wireshark-dev: Re: [Wireshark-dev] [openchange][devel] Parsing array and its size in EcDoRpcExt
From: Julien Kerihuel <j.kerihuel@xxxxxxxxxxxxxx>
Date: Tue, 28 Apr 2009 16:46:16 +0200
On Tue, 2009-04-28 at 11:16 +0200, Julien Kerihuel wrote:
> Conclusion:
> 1. I plan to implement this similarly to what was done for
> EcDoRpc:
> - Try to write as much EcDoRpcExt2 related structures as
> possible, tag them as public and use NDR_NOALIGN
> 2. Only write manually the mapi2k3_rgbIn pull/push/print
> functions and rely as much as possible on generated/existing
> IDL.
Hi All,
I've made some progress since this morning:
- I support either XorMagic or Compressed rgbIn
- The blob is dumped properly with mapi_request
I can't actually use the compression() keyword in pidl and have instead
been:
- adding the [public,nopull] keywords to the mapi2k7_request
structure + wrote a custom implementation
- cloning the existing ndr_pull_compression_xpress_start/
ndr_pull_compression_xpress_chunk and modified them to match the
expected behavior.
Preliminary pointers while this cloning is required at the moment:
- the decomp routine is using some extra parameters we do not
have in the compressed MAPI blob.
- there is a header problem when using compression (it looks for
ndr/compression.h header file, which isn't installed)
The following is a list of what remains:
- "chained calls" behavior/code needs to be implemented
- The current behavior is only implemented for request and need
to be extended to response
- I am currently working on adding the implementation for the
AUX_HEADER structure we have in rgbAuxIn and rgbAuxOut buffer
- We need either to extract the original obfuscate_data call
from ndr_{pull,push}_mapi_request code to an upper layer or
factorize the code with a custom parameter.
I have attached 2 sample ndrdump output for EcDoRpcExt2:
- one demonstrating the dump of a compressed request
- the other showing the dump of a xormagic request
Cheers,
Julien
---
Julien Kerihuel
j.kerihuel@xxxxxxxxxxxxxx
OpenChange Project Manager
GPG Fingerprint: 0B55 783D A781 6329 108A B609 7EF6 FE11 A35F 1F79
jkerihuel@cerebrox:/tmp/sample_capture$ ndrdump -l libmapi.so exchange_emsmdb 0xb in 10_in_Mapi_EcDoRpc --dump-data -d10
lp_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
Processing section "[globals]"
pm_process() returned Yes
adding hidden service IPC$
adding hidden service ADMIN$
pull returned NT_STATUS_OK
256 bytes consumed
[0000] 00 00 00 00 4C 8B 0E F2 38 1F E9 49 87 F0 1A CD ....L... 8..I....
[0010] E1 84 41 B7 00 00 00 00 AF 00 00 00 00 00 05 00 ..A..... ........
[0020] A7 00 B6 00 09 08 00 00 AE 00 05 00 00 01 02 12 ........ ........
[0030] 00 01 00 04 00 14 00 48 67 14 00 4A 18 00 4D 67 .......H g..J..Mg
[0040] 03 00 4E 67 13 A8 00 01 00 01 00 00 04 40 02 40 ..Ng.... .....@.@
[0050] 00 08 30 01 18 64 00 00 4F 40 00 70 00 00 03 00 ..0..d.. O@.p....
[0060] 04 04 1F 00 1A 00 19 00 49 00 50 00 4D 00 2E 00 ........ I.P.M...
[0070] 45 00 10 51 40 00 78 00 74 00 65 00 6E 00 64 28 E..Q@.x. t.e.n.d(
[0080] 00 64 00 52 00 75 00 6C 48 00 2E E8 00 65 00 73 .d.R.u.l H....e.s
[0090] 08 00 61 00 67 48 00 00 00 08 1F 00 2B 82 12 00 ..a.gH.. ....+...
[00A0] EC 65 01 02 EC 65 19 00 4A 40 01 6E 00 6B 00 20 .e...e.. J@.n.k.
[00B0] 10 02 2D 00 6D 30 01 69 C0 01 20 06 02 02 00 6C ..-.m0.i .. ....l
[00C0] 00 00 00 FF FF FF FF FF FF FF FF 00 AF 00 00 00 ........ ........
[00D0] 07 80 00 00 20 00 00 00 00 00 06 00 18 00 18 00 .... ... ........
[00E0] 08 00 01 01 01 00 07 00 10 00 01 0C 0F 00 00 00 ........ ........
[00F0] 0F 00 00 00 06 00 00 00 20 00 00 00 88 00 00 00 ........ .......
0xb: struct EcDoConnectExt2
in: struct EcDoConnectExt2
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : f20e8b4c-1f38-49e9-87f0-1acde18441b7
pulFlags : *
pulFlags : 0x00000000 (0)
0: pulFlags_NoCompression
0: pulFlags_NoXorMagic
0: pulFlags_Chain
rgbIn : *
rgbIn: struct mapi2k7_request
header: struct RPC_HEADER_EXT
Version : 0x0000 (0)
Flags : 0x0005 (5)
1: RHEF_Compressed
0: RHEF_XorMagic
1: RHEF_Last
Size : 0x00a7 (167)
SizeActual : 0x00b6 (182)
mapi_request : *
mapi_len : 0x000000b6 (182)
length : 0x00ae (174)
mapi_request: struct EcDoRpc_MAPI_REQ
opnum : 0x05 (5)
logon_id : 0x00 (0)
handle_idx : 0x00 (0)
u : union EcDoRpc_MAPI_REQ_UNION(case 5)
mapi_GetContentsTable: struct GetContentsTable_req
handle_idx : 0x01 (1)
TableFlags : 0x02 (2)
0: TableFlags_Depth
0: TableFlags_DeferredErrors
0: TableFlags_NoNotifications
0: TableFlags_SoftDeletes
0: TableFlags_UseUnicode
0: TableFlags_SuppressNotifications
mapi_request: struct EcDoRpc_MAPI_REQ
opnum : 0x12 (18)
logon_id : 0x00 (0)
handle_idx : 0x01 (1)
u : union EcDoRpc_MAPI_REQ_UNION(case 18)
mapi_SetColumns: struct SetColumns_req
SetColumnsFlags : SetColumns_TBL_SYNC (0)
prop_count : 0x0004 (4)
properties: ARRAY(4)
properties : PR_FID (0x67480014)
properties : PR_MID (0x674A0014)
properties : PR_INST_ID (0x674D0014)
properties : PR_INSTANCE_NUM (0x674E0003)
mapi_request: struct EcDoRpc_MAPI_REQ
opnum : 0x13 (19)
logon_id : 0x00 (0)
handle_idx : 0x01 (1)
u : union EcDoRpc_MAPI_REQ_UNION(case 19)
mapi_SortTable: struct SortTable_req
SortTableFlags : 0x00 (0)
lpSortCriteria: struct SSortOrderSet
cSorts : 0x0001 (1)
cCategories : 0x0000 (0)
cExpanded : 0x0000 (0)
aSort: ARRAY(1)
aSort: struct SSortOrder
ulPropTag : PR_LAST_MODIFICATION_TIME (0x30080040)
ulOrder : TABLE_SORT_COMBINE (0x1)
mapi_request: struct EcDoRpc_MAPI_REQ
opnum : 0x18 (24)
logon_id : 0x00 (0)
handle_idx : 0x01 (1)
u : union EcDoRpc_MAPI_REQ_UNION(case 24)
mapi_SeekRow: struct SeekRow_req
origin : BOOKMARK_BEGINNING (0)
offset : 0
WantRowMovedCount : 0x00 (0)
mapi_request: struct EcDoRpc_MAPI_REQ
opnum : 0x4f (79)
logon_id : 0x00 (0)
handle_idx : 0x01 (1)
u : union EcDoRpc_MAPI_REQ_UNION(case 79)
mapi_FindRow: struct FindRow_req
ulFlags : DIR_FORWARD (0)
res: struct mapi_SRestriction
rt : 0x00 (0)
res : union mapi_SRestriction_CTR(case 0)
resAnd: struct mapi_SAndRestriction
cRes : 0x0003 (3)
res: ARRAY(3)
res: struct mapi_SRestriction_and
rt : 0x04 (4)
res : union mapi_SRestriction_CTR(case 4)
resProperty: struct mapi_SPropertyRestriction
relop : 0x04 (4)
ulPropTag : PR_MESSAGE_CLASS_UNICODE (0x1A001F)
lpProp: struct mapi_SPropValue
ulPropTag : PR_MESSAGE_CLASS_UNICODE (0x1A001F)
value : union mapi_SPropValue_CTR(case 31)
lpszW : 'IPM.ExtendedRule.Message'
res: struct mapi_SRestriction_and
rt : 0x08 (8)
res : union mapi_SRestriction_CTR(case 8)
resExist: struct mapi_SExistRestriction
ulPropTag : PR_RULE_MSG_NAME_UNICODE (0x65EC001F)
res: struct mapi_SRestriction_and
rt : 0x04 (4)
res : union mapi_SRestriction_CTR(case 4)
resProperty: struct mapi_SPropertyRestriction
relop : 0x04 (4)
ulPropTag : PR_RULE_MSG_NAME_UNICODE (0x65EC001F)
lpProp: struct mapi_SPropValue
ulPropTag : PR_RULE_MSG_NAME_UNICODE (0x65EC001F)
value : union mapi_SPropValue_CTR(case 31)
lpszW : 'Junk E-mail Rule'
origin : BOOKMARK_BEGINNING (0)
bookmark : SBinary_short cb=0
mapi_request : (handles) number=2
handle : 0x0000006c (108)
handle : 0xffffffff (4294967295)
cbIn : 0x000000af (175)
pcbOut : *
pcbOut : 0x00008007 (32775)
rgbAuxIn: struct mapi2k7_request2
header: struct RPC_HEADER_EXT
Version : 0x0000 (0)
Flags : 0x0006 (6)
0: RHEF_Compressed
1: RHEF_XorMagic
1: RHEF_Last
Size : 0x0018 (24)
SizeActual : 0x0018 (24)
buffer : DATA_BLOB length=24
[0000] 08 00 01 01 01 00 07 00 10 00 01 0C 0F 00 00 00 ........ ........
[0010] 0F 00 00 00 06 00 00 00 ........
cbAuxIn : 0x00000020 (32)
pcbAuxOut : *
pcbAuxOut : 0x00000088 (136)
dump OK
jkerihuel@cerebrox:/tmp/sample_capture$
jkerihuel@cerebrox:/tmp/sample_capture$ ndrdump -l libmapi.so exchange_emsmdb 0xb in 11_in_Mapi_EcDoRpc --dump-data -d10
lp_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
Processing section "[globals]"
pm_process() returned Yes
adding hidden service IPC$
adding hidden service ADMIN$
pull returned NT_STATUS_OK
128 bytes consumed
[0000] 00 00 00 00 80 A6 D5 34 EA 4F F7 4C 85 E8 DC 70 .......4 .O.L...p
[0010] 5C D5 C8 2F 00 00 00 00 1F 00 00 00 00 00 06 00 \../.... ........
[0020] 17 00 17 00 13 00 07 00 00 00 00 00 00 02 00 1F ........ ........
[0030] 00 1C 66 02 01 1B 66 37 00 00 00 A5 1F 00 00 00 ..f...f7 ........
[0040] 07 80 00 00 2E 00 00 00 00 00 05 00 26 00 30 00 ........ ....&.0.
[0050] 86 A7 A0 A5 AD A5 A4 A4 A4 A5 A6 A5 B5 A5 A4 A9 ........ ........
[0060] A5 A1 A5 A7 BD A5 BD A5 A7 AB A4 A5 AC A5 B4 A5 ........ ........
[0070] A2 60 A5 A5 A5 A5 00 00 2E 00 00 00 88 00 00 00 .`...... ........
0xb: struct EcDoConnectExt2
in: struct EcDoConnectExt2
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 34d5a680-4fea-4cf7-85e8-dc705cd5c82f
pulFlags : *
pulFlags : 0x00000000 (0)
0: pulFlags_NoCompression
0: pulFlags_NoXorMagic
0: pulFlags_Chain
rgbIn : *
rgbIn: struct mapi2k7_request
header: struct RPC_HEADER_EXT
Version : 0x0000 (0)
Flags : 0x0006 (6)
0: RHEF_Compressed
1: RHEF_XorMagic
1: RHEF_Last
Size : 0x0017 (23)
SizeActual : 0x0017 (23)
mapi_request : *
mapi_len : 0x00000017 (23)
length : 0x0013 (19)
mapi_request: struct EcDoRpc_MAPI_REQ
opnum : 0x07 (7)
logon_id : 0x00 (0)
handle_idx : 0x00 (0)
u : union EcDoRpc_MAPI_REQ_UNION(case 7)
mapi_GetProps: struct GetProps_req
PropertySizeLimit : 0x0000 (0)
WantUnicode : 0x0000 (0)
prop_count : 0x0002 (2)
properties: ARRAY(2)
properties : PR_MAILBOX_OWNER_NAME_UNICODE (0x661C001F)
properties : PR_MAILBOX_OWNER_ENTRYID (0x661B0102)
mapi_request : (handles) number=1
handle : 0x00000037 (55)
cbIn : 0x0000001f (31)
pcbOut : *
pcbOut : 0x00008007 (32775)
rgbAuxIn: struct mapi2k7_request2
header: struct RPC_HEADER_EXT
Version : 0x0000 (0)
Flags : 0x0005 (5)
1: RHEF_Compressed
0: RHEF_XorMagic
1: RHEF_Last
Size : 0x0026 (38)
SizeActual : 0x0030 (48)
buffer : DATA_BLOB length=38
[0000] 86 A7 A0 A5 AD A5 A4 A4 A4 A5 A6 A5 B5 A5 A4 A9 ........ ........
[0010] A5 A1 A5 A7 BD A5 BD A5 A7 AB A4 A5 AC A5 B4 A5 ........ ........
[0020] A2 60 A5 A5 A5 A5 .`....
cbAuxIn : 0x0000002e (46)
pcbAuxOut : *
pcbAuxOut : 0x00000088 (136)
dump OK
jkerihuel@cerebrox:/tmp/sample_capture$
Attachment:
signature.asc
Description: This is a digitally signed message part
- Follow-Ups:
- References:
- [Wireshark-dev] Parsing array and its size in EcDoRpcExt2
- From: Harsha
- Re: [Wireshark-dev] [openchange][devel] Parsing array and its size in EcDoRpcExt2
- From: Julien Kerihuel
- [Wireshark-dev] Parsing array and its size in EcDoRpcExt2
- Prev by Date: Re: [Wireshark-dev] Packet Information
- Next by Date: [Wireshark-dev] Reassembling: pinfo and 2 functions
- Previous by thread: Re: [Wireshark-dev] [openchange][devel] Parsing array and its size in EcDoRpcExt2
- Next by thread: Re: [Wireshark-dev] [openchange][devel] Parsing array and its size in EcDoRpcExt2
- Index(es):