NSEDoc

• Index
• NSE Documentation

Categories

• auth
• default
• discovery
• dos
• exploit
• external
• fuzzer
• intrusive
• malware
• safe
• version
• vuln

Scripts (show 134)(134)Scripts (134)

• afp-brute
• afp-path-vuln
• afp-serverinfo
• afp-showmount
• asn-query
• auth-owners
• auth-spoof
• banner
• citrix-brute-xml
• citrix-enum-apps
• citrix-enum-apps-xml
• citrix-enum-servers
• citrix-enum-servers-xml
• couchdb-databases
• couchdb-stats
• daap-get-library
• daytime
• db2-das-info
• dhcp-discover
• dns-cache-snoop
• dns-fuzz
• dns-random-srcport
• dns-random-txid
• dns-recursion
• dns-service-discovery
• dns-zone-transfer
• drda-brute
• drda-info
• finger
• ftp-anon
• ftp-bounce
• ftp-brute
• ftp-libopie
• html-title
• http-auth
• http-date
• http-enum
• http-favicon
• http-headers
• http-iis-webdav-vuln
• http-malware-host
• http-methods
• http-open-proxy
• http-passwd
• http-php-version
• http-trace
• http-userdir-enum
• http-vmware-path-vuln
• iax2-version
• imap-capabilities
• ipidseq
• irc-info
• irc-unrealircd-backdoor
• jdwp-version
• ldap-brute
• ldap-rootdse
• ldap-search
• lexmark-config
• mongodb-databases
• mongodb-info
• ms-sql-brute
• ms-sql-config
• ms-sql-empty-password
• ms-sql-hasdbaccess
• ms-sql-info
• ms-sql-query
• ms-sql-tables
• ms-sql-xp-cmdshell
• mysql-brute
• mysql-databases
• mysql-empty-password
• mysql-info
• mysql-users
• mysql-variables
• nbstat
• nfs-ls
• nfs-showmount
• nfs-statfs
• ntp-info
• ntp-monlist
• oracle-sid-brute
• p2p-conficker
• pgsql-brute
• pjl-ready-message
• pop3-brute
• pop3-capabilities
• pptp-version
• qscan
• realvnc-auth-bypass
• robots.txt
• rpcinfo
• skypev2-version
• smb-brute
• smb-check-vulns
• smb-enum-domains
• smb-enum-groups
• smb-enum-processes
• smb-enum-sessions
• smb-enum-shares
• smb-enum-users
• smb-os-discovery
• smb-psexec
• smb-security-mode
• smb-server-stats
• smb-system-info
• smbv2-enabled
• smtp-commands
• smtp-enum-users
• smtp-open-relay
• smtp-strangeport
• sniffer-detect
• snmp-brute
• snmp-interfaces
• snmp-netstat
• snmp-processes
• snmp-sysdescr
• snmp-win32-services
• snmp-win32-shares
• snmp-win32-software
• snmp-win32-users
• socks-open-proxy
• sql-injection
• ssh-hostkey
• sshv1
• ssl-cert
• ssl-enum-ciphers
• sslv2
• telnet-brute
• upnp-info
• vnc-brute
• vnc-info
• wdb-version
• whois
• x11-access

Libraries (show 47)(47)Libraries (47)

• afp
• asn1
• base64
• bin
• bit
• brute
• citrixxml
• comm
• datafiles
• dns
• drda
• http
• imap
• ipOps
• json
• ldap
• listop
• match
• mongodb
• msrpc
• msrpcperformance
• msrpctypes
• mssql
• mysql
• netbios
• nmap
• nsedebug
• openssl
• packet
• pcre
• pgsql
• pop3
• proxy
• rpc
• shortport
• smb
• smbauth
• snmp
• ssh1
• ssh2
• stdnse
• strbuf
• strict
• tab
• unpwdb
• url
• vnc

Library msrpctypes

This module was written to marshall parameters for Microsoft RPC (MSRPC) calls. The values passed in and out are based on structs defined by the protocol, and documented by Samba developers. For detailed breakdowns of the types, take a look at Samba 4.0's .idl files.

There is nothing simple about how this all comes together, so I'll take some time to explain how it's done. This is fairly technical and, when it comes right down to it, unnecessary for how to use these functions (although if you want to write one of these, you best understand it).

There are base types, like int32 and int16. These are marshalled the way you'd expect (converted to a 4- or 2-byte little endian string). The only trick with these is that they have to end up aligned on 4-byte boundaries. So, a 2-byte integer requires 2 bytes of padding, and a 1-byte integer requires 3 bytes of padding. The functions marshall_int32, marshall_int16, etc. will marshall the base types, and unmarshall_int32, unmarshall_int16, etc. will unmarshall them.

Strings are a little bit trickier. A string is preceded by three 32-bit values: the max length, the offset, and the length. Additionally, strings may or may not be null terminated, depending on where they're being used. For more information on strings, see the comments on marshall_unicode. The functions marshall_unicode and unmarshall_unicode can be used to mashall/unmarshall strings.

Pointers also have interesting properties. A pointer is preceeded by a 4-byte value called (at least by Wireshark) the "referent id". For a valid pointer, this can be anything except 0 (I use 'NMAP' for it). If it's '0', then it's a null pointer and the data doesn't actually follow. To help clarify, a pointer to the integer '4' could be marshalled as the hex string 78 56 34 12 04 00 00 00 (the referent_id is 0x12345678 and the integer itself is 0x00000004). If the integer is nil, then it's marshalled as 00 00 00 00, which is simply a referent_id of 0.

From the perspective of the program, pointers can be marshalled by using the "_ptr" versions of normal functions (for example, marshall_int32_ptr and unmarshall_unicode_ptr. From the perspective of functions within this module, especially functions for marshalling structs and arrays, the marshall_ptr and unmarshall_ptr functions should be used. These can marshall any data type; the marshalling function is passed as a parameter.

So far, this is fairly straight forward. Arrays are where everything falls apart.

An array of basic types is simply the types themselves, preceeded by the "max length" of the array (which can be longer than the actual length). When pointers are used in an array, however, things get hairy. The 'referent_id's of the pointers are all put at the start of the array, along with the base types. Then, the data is put at the end of the array, for all the referent_ids that aren't null. Let's say you have four strings, "abc", "def", null, and "jkl", in an array. The array would look like this:

 0x00200000 (referent_id for "abc")
 0x00400000 (referent_id for "def")
 0x00000000 (null referent_id)
 0x00800000 (referent_id for "jkl")
 "abc" (note that this also has the standard string stuff, the max_length, offset, and actual_length)
 "def"
 "ghi"

If you mix in a base type, it goes at the front along with the referent_ids. So, let's say you have a structure that contains two integers and a string. You have an array of these. It would encode like this:

 0x00200000 (referent_id for the string in the first struct)
 0x00000001 (first integer in the first struct)
 0x00000002 (second integer in the first struct)
 0x00400000 (referent_id for the string in the second struct)
 0x00000003 (first integer in the second struct)
 0x00000004 (second integer in the second struct)
 "string1" (contains max_length, offset, and actual_length)
 "string2"

From the perspective of the program, arrays shouldn't need to be marshalled/unmarshalled, this is tricky and should be left up to functions within this module. Functions within this module should use marshall_array and unmarshall_array to interact with arrays. These take callback functions for the datatype being stored in the array; these callback functions have to be in a particular format, so care should be taken when writing them. In particular, the first parameter has to be location, which is used to separate the header (the part with the referent_ids) and the body (the part with the pointer data). These are explained more thoroughly in the function headers.

Structs are handled the same as arrays. The referent_ids and base types go at the top, and the values being pointed to go at the bottom. An array of struct, as has already been shown, will have all the base types and referent_ids for all the members at the top, and all the values for all the pointers at the bottom.

Structs tend to be custom functions. Sometimes, these functions are passed as the callback to marshall_ptr or marshall_array (and the equivalent unmarshall_ functions). This means that the custom struct functions have to be able to split themselves into the base types and the pointer data automatically. For an example, see the functions that have already been written.

In the case where you need to unmarshall the same struct from both an array and a pointer, there's an issue; they require different prototypes. There's really no way to directly fix this, at least, none that I could come up with, so I write a function called unmarshall_struct. unmarshall_struct basically calls a struct unmarshalling function the same way unmarshall_array would. This is a bit of a kludge, but it's the best I could come up with.

There are different sections in here, which correspond to "families" of types. I modelled these after Samba's .idl files. MISC corresponds to misc.idl, LSA to lsa.idl, etc. Each of these sections has possible dependencies; for example, SAMR functions use LSA strings, and everything uses SECURITY and MISC. So the order is important -- dependencies have to go above the module.

The datatypes used here are modelled after the datatypes used by Microsoft's functions. Each function that represents a struct will have the struct definition in its comment; and that struct (or the closest representation to it) will be returned. Often, this requires scripts to access something like result['names']['names'][0]['name'], which is rather unwieldy, but I decided that following Microsoft's definitions was the most usable way for many reasons. I find the best way to figure out how to work a function is to call a print_table()-style function on the result and look at how the response is laid out.

Many datatypes are automatically encoded when sent and decoded when received to make life easier for developers. Some examples are:

• All absolute time values will be seconds from 1970
• All relative time values will be in seconds (this includes the hyper datatype); when possible, the milliseconds/microseconds (as far down as we have access to) will be preserved as a decimal
• All enumerations will be a string representing the constant (which can be converted to a user-readable string using one of the _tostr functions); what that means is, enumeration values are never used, only the names
• SIDs will be converted to user-readable strings in the standard format (S-x-y-...)
• GUIDs are stored as tables of values; however, I might change this to a string representation at some point

Source: http://nmap.org/svn/nselib/msrpctypes.lua

Functions

lsa_LookupNamesLevel_tostr (val)	Convert a lsa_LookupNamesLevel value to a string that can be shown to the user. This is based on the <code>_str</table> table.
lsa_SidType_tostr (val)	Convert a lsa_SidType value to a string that can be shown to the user. This is based on the <code>_str</table> table.
marshall_array (array)	Marshalls an array. Recall (from the module comment) that the data in an array is split into the referent_ids and base types at the top and the data at the bottom. This function will call any number of location-aware functions twice (once for the top and once for the bottom).
marshall_ascii (str, max_length)	Marshall a null-teriminated ascii string, with the length/maxlength prepended. Very similar to marshall_unicode, except it's ascii and the null terminator is always used.
marshall_ascii_ptr (str, max_length)	Marshall a pointer to an ascii string.
marshall_atsvc_DaysOfMonth (flags)	Marshall a atsvc_DaysOfMonth. This datatype is tied to the table above with that name.
marshall_atsvc_DaysOfWeek (flags)	Marshall a atsvc_DaysOfWeek. This datatype is tied to the table above with that name.
marshall_atsvc_Flags (flags)	Marshall a atsvc_Flags. This datatype is tied to the table above with that name.
marshall_atsvc_JobInfo (command, time)	Marshall a JobInfo struct. The structure is as follows:
marshall_basetype (location, func, args)	Similar to marshall_ptr, except that this marshalls a type that isn't a pointer. It also understands pointers, in the sense that it'll only return data in the HEAD section, since basetypes are printed in the HEAD and not the BODY.
marshall_dom_sid2 (sid)	Marshall a struct with the following definition:
marshall_Enum32 (val, table)	Marshall an entry in a table. Basically, converts the string to a number based on the entries in table before sending. Multiple values can be ORed together (like flags) by separating them with pipes ("|").
marshall_Enum8 (val, table, pad)	Marshall an entry in a table. Basically, converts the string to a number based on the entries in table before sending. Multiple values can be ORed together (like flags) by separating them with pipes ("|").
marshall_guid (guid)	Marshalls a GUID, which looks like this:
marshall_int16 (int16, pad)	Marshall an int16, which has the following format: [in] uint16 var
marshall_int16_ptr (int16, pad)	Marshall a pointer to an int16, which has the following format: [in,out] uint16 *ptr If the pointer is null, it simply marshalls the integer '0'. Otherwise, it uses a referent id followed by the integer.
marshall_int32 (int32)	Marshall an int32, which has the following format: [in] uint32 var
marshall_int32_array (data)	Marshall an array of int32 values.
marshall_int32_ptr (int32)	Marshall a pointer to an int32, which has the following format: [in,out] uint32 *ptr If the pointer is null, it simply marshalls the integer '0'. Otherwise, it uses a referent id followed by the integer.
marshall_int64 (int64)	Marshall an int64. This is simply an 8-byte integer inserted into the buffer, nothing fancy.
marshall_int64_ptr (int64)	Marshall a pointer to an int64. If the pointer is null, it simply marshalls the integer '0'. Otherwise, it uses a referent id followed by the integer.
marshall_int8 (int8, pad)	Marshall an int8, which has the following format: [in] uint8 var
marshall_int8_array (data, max_length)	Marshall an array of int8s, with an optional max_length set.
marshall_int8_array_ptr (data, max_length)	Marshall a pointer to an array of int8s.
marshall_int8_ptr (int8, pad)	Marshall a pointer to an int8, which has the following format: [in,out] uint8 *ptr If the pointer is null, it simply marshalls the integer '0'. Otherwise, it uses a referent id followed by the integer.
marshall_lsa_LookupNamesLevel (names_level)	Marshall a lsa_LookupNamesLevel. This datatype is tied to the table above with that name.
marshall_lsa_ObjectAttribute ()	Marshall a struct with the following definition:
marshall_lsa_QosInfo ()	Marshall a struct with the following definition:
marshall_lsa_SidArray (sids)	Marshall a struct with the following definition:
marshall_lsa_SidPtr (location, sid)	Marshall a struct with the following definition:
marshall_lsa_SidType (sid_type)	Marshall a lsa_SidType. This datatype is tied to the table above with that name.
marshall_lsa_String (str, max_length)	Public version of marshall_lsa_String_internal -- see that function on that for more information. This version doesn't require a location, so it's suitable to be a public function.
marshall_lsa_String_array (strings)	Marshall an array of lsa_String objects. This is a perfect demonstration of how to use marshall_array.
marshall_lsa_String_array2 (strings)	Basically the same as marshall_lsa_String_array, except it has a different structure
marshall_lsa_String_internal (location, str, max_length, do_null)	A lsa_String is a buffer that holds a non-null-terminated string. It can have a max size that's different from its actual size. I tagged this one as "internal" because I don't want the user to have to provide a "location".
marshall_lsa_TranslatedName2 (location, sid_type, name, sid_index, unknown)	Marshall a struct with the following definition:
marshall_lsa_TranslatedSid2 (location, sid_type, rid, sid_index, unknown)	Marshall a struct with the following definition:
marshall_lsa_TransNameArray2 (names)	Marshall a struct with the following definition:
marshall_lsa_TransSidArray2 (sids)	Marshall a struct with the following definition:
marshall_NTTIME (time)	Marshalls an NTTIME. This is sent as the number of 1/10 microseconds since 1601; however the internal representation is the number of seconds since 1970. Because doing conversions in code is annoying, the user will never have to understand anything besides seconds since 1970.
marshall_NTTIME_ptr (time)	Marshalls an NTTIME*.
marshall_policy_handle (policy_handle)	Marshalls a policy_handle, which looks like this:
marshall_ptr (location, func, args, value)	Marshalls a pointer to another datatype. This function will optionally separate the REFERENT_ID of the pointer (which goes at location = HEAD) from the data part of the pointer (which goes at location = BODY). If the entire pointer is needed, then location should be set to ALL.
marshall_samr_AcctFlags (flags)	Marshall a samr_AcctFlags. This datatype is tied to the table above with that name.
marshall_samr_ConnectAccessMask (accessmask)	Marshall a samr_ConnectAccessMask. This datatype is tied to the table above with that name.
marshall_samr_DomainAccessMask (accessmask)	Marshall a samr_DomainAccessMask. This datatype is tied to the table above with that name.
marshall_samr_PasswordProperties (properties)	Marshall a samr_PasswordProperties. This datatype is tied to the table above with that name.
marshall_srvsvc_NetSessCtr (level, data)	Marshall the top-level NetShareCtr. This is a union of a bunch of different containers:
marshall_srvsvc_NetSessCtr10 (NetSessCtr10)	Marshall a NetSessCtr (session container) type 10. It is a simple array with the following definition:
marshall_srvsvc_NetSessInfo10 (location, client, user, time, idle_time)	Marshall a NetSessInfo type 10.
marshall_srvsvc_NetShareCtr (level, data)	Marshall the top-level NetShareCtr. This is a union of a bunch of different containers:
marshall_srvsvc_NetShareCtr0 (NetShareCtr0)	Marshall a NetShareCtr (container) type 0. It is a simple array with the following definition:
marshall_srvsvc_NetShareCtr1 (NetShareCtr1)	Marshall a NetShareCtr (container) type 1. It is a simple array with the following definition:
marshall_srvsvc_NetShareCtr2 (NetShareCtr2)	Marshall a NetShareCtr (container) type 2. It is a simple array with the following definition:
marshall_srvsvc_NetShareInfo0 (location, name)	Marshall a NetShareInfo type 0, which is just a name.
marshall_srvsvc_NetShareInfo1 (location, name, sharetype, comment)	Marshall a NetShareInfo type 1, which is the name and a few other things.
marshall_srvsvc_NetShareInfo2 (location, name, sharetype, comment, permissions, max_users, current_users, path, password)	Marshall a NetShareInfo type 2, which is the name and a few other things.
marshall_srvsvc_ShareType (sharetype)	Marshall a srvsvc_ShareType. This datatype is tied to the table above with that name.
marshall_svcctl_ControlCode (flags)	Marshall a svcctl_ControlCode. This datatype is tied to the table above with that name.
marshall_svcctl_State (flags)	Marshall a svcctl_State. This datatype is tied to the table above with that name.
marshall_svcctl_Type (flags)	Marshall a svcctl_Type. This datatype is tied to the table above with that name.
marshall_unicode (str, do_null, max_length)	Marshall a string that is in the format: [string,charset(UTF16)] uint16 *str
marshall_unicode_array (strings, do_null)	Marshall an array of unicode strings. This is a perfect demonstration of how to use marshall_array.
marshall_unicode_array_ptr (strings, do_null)	Marshall a pointer to an array of unicode strings. See marshall_unicode_array for more information.
marshall_unicode_ptr (str, do_null, max_length)	Marshall a pointer to a unicode string.
marshall_winreg_AccessMask (accessmask)	Marshall a winreg_AccessMask.
marshall_winreg_String (table, max_length)	A winreg_String has the same makup as a winreg_StringBuf, as far as I can tell, so delegate to that function.
marshall_winreg_StringBuf (table, max_length)	A winreg_stringbuf is a buffer that holds a null-terminated string. It can have a max size that's different from its actual size.
marshall_winreg_StringBuf_ptr (table, max_length)	Marshall a winreg_StringBuffer pointer. Same as marshall_winreg_StringBuf, except the string can be nil.
marshall_winreg_Type (winregtype)	Marshall a winreg_Type. This datatype is tied to the table above with that name.
marshall_winreg_Type_ptr (winreg_type)	Marshall a pointer to a winreg_Type. This datatype is tied to the table above with that name.
samr_AcctFlags_tostr (val)	Convert a samr_AcctFlags value to a string that can be shown to the user. This is based on the <code>_str</table> table.
samr_ConnectAccessMask_tostr (val)	Convert a samr_ConnectAccessMask value to a string that can be shown to the user. This is based on the <code>_str</table> table.
samr_DomainAccessMask_tostr (val)	Convert a samr_DomainAccessMask value to a string that can be shown to the user. This is based on the <code>_str</table> table.
samr_PasswordProperties_tostr (val)	Convert a samr_PasswordProperties value to a string that can be shown to the user. This is based on the <code>_str</table> table.
srvsvc_ShareType_tostr (val)	Convert a srvsvc_ShareType value to a string that can be shown to the user. This is based on the <code>_str</table> table.
string_to_unicode (string, do_null)	Convert a string to fake unicode (ascii with null characters between them), optionally add a null terminator, and optionally align it to 4-byte boundaries. This is frequently used in MSRPC calls, so I put it here, but it might be a good idea to move this function (and the converse one below) into a separate library.
svcctl_ControlCode_tostr (val)	Convert a svcctl_ControlCode value to a string that can be shown to the user. This is based on the <code>_str</table> table.
unicode_to_string (buffer, pos, length, do_null)	Read a unicode string from a buffer, similar to how bin.unpack would, optionally eat the null terminator, and optionally align it to 4-byte boundaries.
unmarshall_array (data, pos, count, func, args)	Unmarshalls an array. This function starts to get a little hairy, due to the number of parameters that need to be propagated, but it isn't too bad. Basically, this unmarshalls an array by calling the given function for each element.
unmarshall_dom_sid2 (data, pos)	Unmarshall a struct with the following definition:
unmarshall_dom_sid2_ptr (data, pos)	Unmarshall a pointer to a dom_sid2 struct. See the unmarshall_dom_sid2 function for more information.
unmarshall_Enum16 (data, pos, table, default, pad)	Unmarshall an entry in a table. Basically, converts the next int16 in the buffer to a string based on the entries in table before returning.
unmarshall_Enum32 (data, pos, table, default)	Unmarshall an entry in a table. Basically, converts the next int32 in the buffer to a string based on the entries in table before returning.
unmarshall_Enum32_array (data, pos, table)	Similar to unmarshall_Enum32, except it'll return every value that could be ANDed together to create the resulting value (except a 0 value). This is effective for parsing flag data types.
unmarshall_guid (data, pos)	Unmarshalls a GUID. See marshall_guid for the structure.
unmarshall_hyper (data, pos)	Unmarshalls a hyper. I have no idea what a hyper is, just that it seems to be a 64-bit data type used for measuring time, and that the units happen to be negative microseconds. This function converts the value to seconds and returns it.
unmarshall_int16 (data, pos, pad)	Unmarshall an int16. See marshall_int16 for more information.
unmarshall_int16_ptr (data, pos, pad)	Unmarshall a pointer to an int16. See marshall_int16_ptr for more information.
unmarshall_int32 (data, pos)	Unmarshall an int32. See marshall_int32 for more information.
unmarshall_int32_array (data, pos, count)	Unmarshall an array of int32s.
unmarshall_int32_array_ptr (data, pos)	Unmarshall a pointer to an array of int32s.
unmarshall_int32_ptr (data, pos)	Unmarshall a pointer to an int32. See marshall_int32_ptr for more information.
unmarshall_int64 (data, pos)	Unmarshall an int64. See marshall_int64 for more information.
unmarshall_int8 (data, pos, pad)	Unmarshall an int8. See marshall_int8 for more information.
unmarshall_int8_array (data, pos, pad)	Unmarshall an array of int8s.
unmarshall_int8_array_ptr (data, pos, pad)	Unmarshall a pointer to an array of int8s. By default, aligns the result to 4-byte boundaries.
unmarshall_int8_ptr (data, pos, pad)	Unmarshall a pointer to an int8. See marshall_int8_ptr for more information.
unmarshall_lsa_DomainInfo (location, data, pos, result)	Unmarshall a struct with the following definition:
unmarshall_lsa_LookupNamesLevel (data, pos)	Unmarshall a lsa_LookupNamesLevel. This datatype is tied to the table with that name.
unmarshall_lsa_RefDomainList (data, pos)	Unmarshall a struct with the following definition:
unmarshall_lsa_RefDomainList_ptr (data, pos)	Unmarshall a pointer to a lsa_RefDomainList. See the unmarshall_lsa_RefDomainList function for more information.
unmarshall_lsa_SidArray (data, pos)	Unmarshall a struct with the following definition:
unmarshall_lsa_SidPtr (location, data, pos, result)	Unmarshall a struct with the following definition: typedef struct { dom_sid2 *sid; } lsa_SidPtr;
unmarshall_lsa_SidType (data, pos)	Unmarshall a lsa_SidType. This datatype is tied to the table with that name.
unmarshall_lsa_String_internal (location, data, pos, result)	Unmarshall a lsa_String value. See marshall_lsa_String_internal for more information.
unmarshall_lsa_StringLarge (location, data, pos, result)	Marshall a struct with the following definition:
unmarshall_lsa_TranslatedSid2 (location, data, pos, result)	Unmarshall a struct with the following definition:
unmarshall_lsa_TransNameArray2 (data, pos)	Unmarshall a lsa_TransNameArray2 structure. See the marshall_lsa_TransNameArray2 for more information.
unmarshall_lsa_TransSidArray2 (data, pos)	Unmarshall a struct with the following definition:
unmarshall_NTTIME (data, pos)	Unmarshalles an NTTIME. See marshall_NTTIME for more information.
unmarshall_NTTIME_ptr (data, pos)	Unmarshalles an NTTIME*.
unmarshall_policy_handle (data, pos)	Unmarshalls a policy_handle. See marshall_policy_handle for the structure.
unmarshall_ptr (location, data, pos, func, args, result)	Unmarshalls a pointer by removing the referent_id in the HEAD section and the data in the BODY section (or both in the ALL section). Because the unmarshall function for the body is called if and only if the referent_id is non-zero, if the head and the body are split apart, the second call to this function has to know the context. This is the purpose for the result parameter, it is the result from the first time this is called.
unmarshall_raw (data, pos, length)	Unmarshall raw data.
unmarshall_samr_AcctFlags (data, pos)	Unmarshall a samr_AcctFlags. This datatype is tied to the table with that name.
unmarshall_samr_ConnectAccessMask (data, pos)	Unmarshall a samr_ConnectAccessMask. This datatype is tied to the table with that name.
unmarshall_samr_DispEntryGeneral (location, data, pos, result)	Unmarshall a struct with the following definition:
unmarshall_samr_DispInfo (data, pos)	Unmarshall a struct with the following definition:
unmarshall_samr_DispInfoGeneral (data, pos)	Unmarshall a struct with the following definition:
unmarshall_samr_DomainAccessMask (data, pos)	Unmarshall a samr_DomainAccessMask. This datatype is tied to the table with that name.
unmarshall_samr_DomainInfo (data, pos)	Unmarshall a union with the following definition:
unmarshall_samr_DomainInfo_ptr (data, pos)	Unmarshall a pointer to a samr_DomainInfo. See unmarshall_samr_DomainInfo for more information.
unmarshall_samr_DomInfo1 (data, pos)	Unmarshall a struct with the following definition:
unmarshall_samr_DomInfo12 (data, pos)	Unmarshall a struct with the following definition:
unmarshall_samr_DomInfo8 (data, pos)	Unmarshall a struct with the following definition:
unmarshall_samr_Ids (data, pos)	Unmarshall a structure with the following definition:
unmarshall_samr_PasswordProperties (data, pos)	Unmarshall a samr_PasswordProperties. This datatype is tied to the table with that name.
unmarshall_samr_SamArray (data, pos)	Unmarshall a struct with the following definition:
unmarshall_samr_SamArray_ptr (data, pos)	Unmarshall a pointer to a samr_SamArray type. See unmarshall_samr_SamArray for more information.
unmarshall_samr_SamEntry (location, data, pos, result)	Unmarshall a struct with the following definition:
unmarshall_SERVICE_STATUS (data, pos)	Unmarshall a SERVICE_STATUS struct, converting it to a table. The structure is as follows:
unmarshall_srvsvc_NetSessCtr (data, pos)	Unmarshall the top-level NetShareCtr. This is a union; see the marshall function for more information.
unmarshall_srvsvc_NetSessCtr10 (data, pos)	Unmarshall a NetSessCtr (session container) type 10. See the marshall function for the definition.
unmarshall_srvsvc_NetSessInfo10 (location, data, pos, result)	Unmarshall a NetSessInfo type 10. For more information, see the marshall function.
unmarshall_srvsvc_NetShareCtr (data, pos)	Unmarshall the top-level NetShareCtr. This is a union of a bunch of containers, see the equivalent marshall function for more information; at the time of this writing I've only implemented level = 0.
unmarshall_srvsvc_NetShareCtr0 (data, pos)	Unmarshall a NetShareCtr (container) type 0. See the marshall function for the definition.
unmarshall_srvsvc_NetShareInfo (data, pos)	Unmarshall the top-level NetShareInfo. This is a union of a bunch of different structs:
unmarshall_srvsvc_NetShareInfo0 (location, data, pos, result)	Unmarshall a NetShareInfo type 0, which is just a name. See the marshall function for more information.
unmarshall_srvsvc_NetShareInfo1 (location, data, pos, result)	Unmarshall a NetShareInfo type 1, which is a name and a couple other things. See the marshall function for more information.
unmarshall_srvsvc_NetShareInfo2 (location, data, pos, result)	Unmarshall a NetShareInfo type 2, which is a name and a few other things. See the marshall function for more information.
unmarshall_srvsvc_ShareType (data, pos)	Unmarshall a srvsvc_ShareType. This datatype is tied to the table with that name.
unmarshall_srvsvc_Statistics (data, pos)	Unmarshall a srvsvc_Statistics packet. This is basically a great big struct:
unmarshall_srvsvc_Statistics_ptr (data, pos)	Unmarshalls a srvsvc_Statistics as a pointer. Wireshark fails to do this, and ends up parsing the packet wrong, so take care when packetlogging.
unmarshall_struct (data, pos, func, args)	Call a function that matches the prototype for unmarshall_array. This allows the same struct to be used in unmarshall_array and in unmarshall_ptr. It is kind of a kludge, but it makes sense, and was the cleanest solution I could come up with to this problem (although I'm sure that there's a better one staring me in the face).
unmarshall_svcctl_ControlCode (data, pos)	Unmarshall a svcctl_ControlCode. This datatype is tied to the table with that name.
unmarshall_svcctl_State (data, pos)	Unmarshall a svcctl_State. This datatype is tied to the table with that name.
unmarshall_svcctl_Type (data, pos)	Unmarshall a svcctl_Type. This datatype is tied to the table with that name.
unmarshall_SYSTEMTIME (data, pos)	Unmarshall a SYSTEMTIME structure, converting it to a standard representation. The structure is a follows:
unmarshall_unicode (data, pos, do_null)	Unmarshall a string that is in the format: [string,charset(UTF16)] uint16 *str
unmarshall_unicode_ptr (data, pos, do_null)	Unmarshall a pointer to a unicode string.
unmarshall_winreg_AccessMask (data, pos)	Unmarshall a winreg_AccessMask. This datatype is tied to the table with that name.
unmarshall_winreg_String (data, pos)	Unmarshall a winreg_String. Since ti has the same makup as winreg_StringBuf, delegate to that.
unmarshall_winreg_StringBuf (data, pos)	Unmarshall a winreg_StringBuf buffer.
unmarshall_winreg_StringBuf_ptr (data, pos)	Unmarshall a winreg_StringBuffer pointer
unmarshall_winreg_Type (data, pos)	Unmarshall a winreg_Type. This datatype is tied to the table with that name.
unmarshall_winreg_Type_ptr (data, pos)	Unmarshall a pointer to a winreg_Type. This datatype is tied to the table with that name.
winreg_AccessMask_tostr (val)	Convert a winreg_AccessMask value to a string that can be shown to the user. This is based on the <code>_str</table> table.
winreg_Type_tostr (val)	Convert a winreg_Type value to a string that can be shown to the user. This is based on the <code>_str</table> table.

Functions

lsa_LookupNamesLevel_tostr (val)

Convert a lsa_LookupNamesLevel value to a string that can be shown to the user. This is based on the <code>_str</table> table.

Parameters

• val: The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.

lsa_SidType_tostr (val)

Convert a lsa_SidType value to a string that can be shown to the user. This is based on the <code>_str</table> table.

Parameters

• val: The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.

marshall_array (array)

Marshalls an array. Recall (from the module comment) that the data in an array is split into the referent_ids and base types at the top and the data at the bottom. This function will call any number of location-aware functions twice (once for the top and once for the bottom).

Each element in the array can technically have a different function. I don't know why I allowed that, and may refactor it out in the future. For now, I strongly recommend setting the function to the same for every element.

The function that's called has to have the prototype:

func(location, <args>)

where "location" is the standard HEAD/BODY/ALL location used throughout the functions.

Parameters

• array: An array of tables. Each table contains 'func', a pointer to the marshalling function and 'args', the arguments to pass to the marshalling function after the 'location' variable.

Return value:

A string representing the marshalled data.

marshall_ascii (str, max_length)

Marshall a null-teriminated ascii string, with the length/maxlength prepended. Very similar to marshall_unicode, except it's ascii and the null terminator is always used.

Parameters

• str: The string to marshall.
• max_length: [optional] The maximum length; default: actual length.

marshall_ascii_ptr (str, max_length)

Marshall a pointer to an ascii string.

Parameters

• str: The string to insert. Can be nil.
• max_length: [optional] Sets a max length that's different than the string's length.

Return value:

A string representing the marshalled data.

marshall_atsvc_DaysOfMonth (flags)

Marshall a atsvc_DaysOfMonth. This datatype is tied to the table above with that name.

Parameters

• flags: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

marshall_atsvc_DaysOfWeek (flags)

Marshall a atsvc_DaysOfWeek. This datatype is tied to the table above with that name.

Parameters

• flags: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

marshall_atsvc_Flags (flags)

Marshall a atsvc_Flags. This datatype is tied to the table above with that name.

Parameters

• flags: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

marshall_atsvc_JobInfo (command, time)

Marshall a JobInfo struct. The structure is as follows:

   typedef struct {
       uint32 job_time;
       atsvc_DaysOfMonth days_of_month;
       atsvc_DaysOfWeek days_of_week;
       atsvc_Flags flags;
       [string,charset(UTF16)] uint16 *command;
   } atsvc_JobInfo;

Parameters

• command: The command to run. This has to be just the command, no parameters; if a program requires parameters, then the best way to run it is through a batch file.
• time: The time at which to run the job, in milliseconds from midnight.

marshall_basetype (location, func, args)

Similar to marshall_ptr, except that this marshalls a type that isn't a pointer. It also understands pointers, in the sense that it'll only return data in the HEAD section, since basetypes are printed in the HEAD and not the BODY.

Using this isn't strictly necessary, but it cleans up functions for generating structs containing both pointers and basetypes (see marshall_srvsvc_NetShareInfo2).

Like marshall_ptr, the function doesn't have to match any prototype, as long as the proper arguments are passed to it.

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• func: The function to call when encoding the body. Should convert the arguments passed in the args parameter to a string.
• args: An array of arguments that will be directly passed to the function func

Return value:

A string representing the marshalled data.

marshall_dom_sid2 (sid)

Marshall a struct with the following definition:

   typedef [public,gensize,noprint,noejs,nosize] struct {
       uint8  sid_rev_num;             /**< SID revision number */
       [range(0,15)] int8  num_auths;  /**< Number of sub-authorities */
       uint8  id_auth[6];              /**< Identifier Authority */
       uint32 sub_auths[num_auths];
   } dom_sid;

Parameters

• sid:

Return value:

A string representing the marshalled data.

marshall_Enum32 (val, table)

Marshall an entry in a table. Basically, converts the string to a number based on the entries in table before sending. Multiple values can be ORed together (like flags) by separating them with pipes ("|").

Parameters

• val: The value to look up. Can be multiple values with pipes between, eg, "A|B|C".
• table: The table to use for lookups. The keys should be the names, and the values should be the numbers.

Return value:

A string representing the marshalled data.

marshall_Enum8 (val, table, pad)

Marshall an entry in a table. Basically, converts the string to a number based on the entries in table before sending. Multiple values can be ORed together (like flags) by separating them with pipes ("|").

Parameters

• val: The value to look up. Can be multiple values with pipes between, eg, "A|B|C".
• table: The table to use for lookups. The keys should be the names, and the values should be the numbers.
• pad: [optional] If set, will ensure that we end up on an even multiple of 4. Default: true.

Return value:

A string representing the marshalled data.

marshall_guid (guid)

Marshalls a GUID, which looks like this:

	typedef [public,noprint,gensize,noejs] struct {
		uint32 time_low;
		uint16 time_mid;
		uint16 time_hi_and_version;
		uint8  clock_seq[2];
		uint8  node[6];
	} GUID;

Parameters

• guid: A table representing the GUID.

Return value:

A string representing the marshalled data.

marshall_int16 (int16, pad)

Marshall an int16, which has the following format: [in] uint16 var

This is simply an integer inserted into the buffer, nothing fancy.

Parameters

• int16: The integer to insert
• pad: [optional] If set, will align the insert on 4-byte boundaries. Default: true.

Return value:

A string representing the marshalled data.

marshall_int16_ptr (int16, pad)

Marshall a pointer to an int16, which has the following format: [in,out] uint16 *ptr If the pointer is null, it simply marshalls the integer '0'. Otherwise, it uses a referent id followed by the integer.

Parameters

• int16: The value of the integer pointer
• pad: [optional] If set, will align the insert on 4-byte boundaries. Default: true.

Return value:

A string representing the marshalled data.

marshall_int32 (int32)

Marshall an int32, which has the following format: [in] uint32 var

This is simply an integer inserted into the buffer, nothing fancy.

Parameters

• int32: The integer to insert

Return value:

A string representing the marshalled data.

marshall_int32_array (data)

Marshall an array of int32 values.

Parameters

• data: The array

Return value:

A string representing the marshalled data

marshall_int32_ptr (int32)

Marshall a pointer to an int32, which has the following format: [in,out] uint32 *ptr If the pointer is null, it simply marshalls the integer '0'. Otherwise, it uses a referent id followed by the integer.

Parameters

• int32: The value of the integer pointer

Return value:

A string representing the marshalled data.

marshall_int64 (int64)

Marshall an int64. This is simply an 8-byte integer inserted into the buffer, nothing fancy.

Parameters

• int64: The integer to insert

Return value:

A string representing the marshalled data.

marshall_int64_ptr (int64)

Marshall a pointer to an int64. If the pointer is null, it simply marshalls the integer '0'. Otherwise, it uses a referent id followed by the integer.

Parameters

• int64: The value of the integer pointer

Return value:

A string representing the marshalled data.

marshall_int8 (int8, pad)

Marshall an int8, which has the following format: [in] uint8 var

This is simply an integer inserted into the buffer, nothing fancy.

Parameters

• int8: The integer to insert
• pad: [optional] If set, will align the insert on 4-byte boundaries. Default: true.

Return value:

A string representing the marshalled data.

marshall_int8_array (data, max_length)

Marshall an array of int8s, with an optional max_length set.

Parameters

• data: The array to marshall, as a string. Cannot be nil.
• max_length: [optional] The maximum length of the buffer. Default: the length of data.

Return value:

A string representing the marshalled data.

marshall_int8_array_ptr (data, max_length)

Marshall a pointer to an array of int8s.

Parameters

• data: The array to marshall, as a string. Can be nil.
• max_length: [optional] The maximum length of the buffer. Default: the length of data.

Return value:

A string representing the marshalled data.

marshall_int8_ptr (int8, pad)

Marshall a pointer to an int8, which has the following format: [in,out] uint8 *ptr If the pointer is null, it simply marshalls the integer '0'. Otherwise, it uses a referent id followed by the integer.

Parameters

• int8: The value of the integer pointer
• pad: [optional] If set, will align the insert on 4-byte boundaries. Default: true.

Return value:

A string representing the marshalled data.

marshall_lsa_LookupNamesLevel (names_level)

Marshall a lsa_LookupNamesLevel. This datatype is tied to the table above with that name.

Parameters

• names_level: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

marshall_lsa_ObjectAttribute ()

Marshall a struct with the following definition:

   typedef struct {
       uint32 len; /* ignored */
       uint8 *root_dir;
       [string,charset(UTF16)] uint16 *object_name;
       uint32 attributes;
       security_descriptor *sec_desc;
       lsa_QosInfo *sec_qos;
   } lsa_ObjectAttribute;

I didn't bother letting the user specify values, since I don't know what any of them do. The defaults seem to work really well.

Return value:

A string representing the marshalled data.

marshall_lsa_QosInfo ()

Marshall a struct with the following definition:

   typedef struct {
       uint32  len; /* ignored */
       uint16  impersonation_level;
       uint8   context_mode;
       uint8   effective_only;
   } lsa_QosInfo;

I didn't bother letting the user specify values, since I don't know what any of them do. The defaults seem to work really well.

Return value:

A string representing the marshalled data.

marshall_lsa_SidArray (sids)

Marshall a struct with the following definition:

   typedef [public] struct {
       [range(0,1000)] uint32 num_sids;
       [size_is(num_sids)] lsa_SidPtr *sids;
   } lsa_SidArray;

Parameters

• sids: The array of SIDs to marshall (as strings).

Return value:

A string representing the marshalled data.

marshall_lsa_SidPtr (location, sid)

Marshall a struct with the following definition:

   typedef struct {
       dom_sid2 *sid;
   } lsa_SidPtr;

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• sid: The SID to marshall (as a string).

Return value:

A string representing the marshalled data.

marshall_lsa_SidType (sid_type)

Marshall a lsa_SidType. This datatype is tied to the table above with that name.

Parameters

• sid_type: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

marshall_lsa_String (str, max_length)

Public version of marshall_lsa_String_internal -- see that function on that for more information. This version doesn't require a location, so it's suitable to be a public function.

Parameters

• str: The string to marshall
• max_length: [optional] The maximum size of the buffer, in characters, including the null terminator. Defaults to the length of the string, including the null.

Return value:

A string representing the marshalled data.

marshall_lsa_String_array (strings)

Marshall an array of lsa_String objects. This is a perfect demonstration of how to use marshall_array.

Parameters

• strings: The array of strings to marshall

Return value:

A string representing the marshalled data.

marshall_lsa_String_array2 (strings)

Basically the same as marshall_lsa_String_array, except it has a different structure

Parameters

• strings: The array of strings to marshall

marshall_lsa_String_internal (location, str, max_length, do_null)

A lsa_String is a buffer that holds a non-null-terminated string. It can have a max size that's different from its actual size. I tagged this one as "internal" because I don't want the user to have to provide a "location".

This is the format:

   typedef [public,noejs] struct {
       [value(2*strlen_m(string))] uint16 length;
       [value(2*strlen_m(string))] uint16 size;
       [charset(UTF16),size_is(size/2),length_is(length/2)] uint16 *string;
   } lsa_String;

Parameters

• location: The part of the pointer wanted, either HEAD (for the referent_id), BODY (for the pointer data), or ALL (for both together). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• str: The string to marshall
• max_length: [optional] The maximum size of the buffer, in characters, including the null terminator. Defaults to the length of the string, including the null.
• do_null: [optional] Appends a null to the end of the string. Default false.

Return value:

A string representing the marshalled data.

marshall_lsa_TranslatedName2 (location, sid_type, name, sid_index, unknown)

Marshall a struct with the following definition:

   typedef struct {
       lsa_SidType sid_type;
       lsa_String name;
       uint32 sid_index;
       uint32 unknown;
   } lsa_TranslatedName2;

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• sid_type: The sid_type value, as a string
• name: The name of the user
• sid_index: The sid_index (I don't know what this is)
• unknown: An unknown value, normally 0

Return value:

A string representing the marshalled data.

marshall_lsa_TranslatedSid2 (location, sid_type, rid, sid_index, unknown)

Marshall a struct with the following definition:

   typedef struct {
       lsa_SidType sid_type;
       uint32 rid;
       uint32 sid_index;
       uint32 unknown;
   } lsa_TranslatedSid2;

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• sid_type: The sid_type value (I don't know what this means)
• rid: The rid (a number representing the user)
• sid_index: The sid_index value (I don't know what this means, either)
• unknown: An unknown value (is normaly 0).

Return value:

A string representing the marshalled data.

marshall_lsa_TransNameArray2 (names)

Marshall a struct with the following definition:

   typedef struct {
       [range(0,1000)] uint32 count;
       [size_is(count)] lsa_TranslatedName2 *names;
   } lsa_TransNameArray2;

Parameters

• names: An array of names to translate.

Return value:

A string representing the marshalled data.

marshall_lsa_TransSidArray2 (sids)

Marshall a struct with the following definition:

   typedef struct {
       [range(0,1000)] uint32 count;
       [size_is(count)] lsa_TranslatedSid2 *sids;
   } lsa_TransSidArray2;

Parameters

• sids: An array of SIDs to translate (as strings)

Return value:

A string representing the marshalled data.

marshall_NTTIME (time)

Marshalls an NTTIME. This is sent as the number of 1/10 microseconds since 1601; however the internal representation is the number of seconds since 1970. Because doing conversions in code is annoying, the user will never have to understand anything besides seconds since 1970.

Parameters

• time: The time, in seconds since 1970.

Return value:

A string representing the marshalled data.

marshall_NTTIME_ptr (time)

Marshalls an NTTIME*.

Parameters

• time: The time, in seconds since 1970.

Return value:

A string representing the marshalled data.

marshall_policy_handle (policy_handle)

Marshalls a policy_handle, which looks like this:

	typedef struct {
		uint32 handle_type;
		GUID   uuid;
	} policy_handle;

Parameters

• policy_handle: The policy_handle to marshall.

Return value:

A string representing the marshalled data.

marshall_ptr (location, func, args, value)

Marshalls a pointer to another datatype. This function will optionally separate the REFERENT_ID of the pointer (which goes at location = HEAD) from the data part of the pointer (which goes at location = BODY). If the entire pointer is needed, then location should be set to ALL.

When marshalling the body, the function func is called, which is passed as a parameter, with the arguments args. This function has to return a marshalled parameter, but other than that it can be any marshalling function. The 'value' parameter simply determined whether or not it's a null pointer, and will probably be a repease of one of the arguments.

Note that the function func doesn't have to conform to any special prototype, as long as the args array matches what the function wants.

This can be used to marshall an int16 value of 0x1234 with padding like this:

 marshall_ptr(ALL, marshall_int16, {0x1234, true}, 0x1234)

And here's how a 'nil' string might be marshalled:

 local str = nil
 marshall_ptr(ALL, marshall_unicode, {str, true}, str)

Parameters

• location: The part of the pointer wanted, either HEAD (for the referent_id), BODY (for the pointer data), or ALL (for both together). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• func: The function to call when encoding the body. Should convert the arguments passed in the args parameter to a string.
• args: An array of arguments that will be directly passed to the function func
• value: The value that's actually being encoded. This is simply used to determine whether or not the pointer is null.

Return value:

A string representing the marshalled data.

marshall_samr_AcctFlags (flags)

Marshall a samr_AcctFlags. This datatype is tied to the table above with that name.

Parameters

• flags: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

marshall_samr_ConnectAccessMask (accessmask)

Marshall a samr_ConnectAccessMask. This datatype is tied to the table above with that name.

Parameters

• accessmask: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

marshall_samr_DomainAccessMask (accessmask)

Marshall a samr_DomainAccessMask. This datatype is tied to the table above with that name.

Parameters

• accessmask: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

marshall_samr_PasswordProperties (properties)

Marshall a samr_PasswordProperties. This datatype is tied to the table above with that name.

Parameters

• properties: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

marshall_srvsvc_NetSessCtr (level, data)

Marshall the top-level NetShareCtr. This is a union of a bunch of different containers:

   typedef union {
       [case(0)] srvsvc_NetSessCtr0 *ctr0;
       [case(1)] srvsvc_NetSessCtr1 *ctr1;
       [case(2)] srvsvc_NetSessCtr2 *ctr2;
       [case(10)] srvsvc_NetSessCtr10 *ctr10;
       [case(502)] srvsvc_NetSessCtr502 *ctr502;
       [default] ;
   } srvsvc_NetSessCtr;

Not all of them are implemented, however; look at the code to see which are implemented (at the time of this writing, it's just 10).

Parameters

• level: The level to request. Different levels will return different results, but also require different access levels to call.
• data: The data to populate the array with. Depending on the level, this data will be different.

Return value:

A string representing the marshalled data.

marshall_srvsvc_NetSessCtr10 (NetSessCtr10)

Marshall a NetSessCtr (session container) type 10. It is a simple array with the following definition:

   typedef struct {
       uint32 count;
       [size_is(count)] srvsvc_NetSessInfo10 *array;
   } srvsvc_NetSessCtr10;

Parameters

• NetSessCtr10: A table representing the structure.

Return value:

A string representing the marshalled data.

marshall_srvsvc_NetSessInfo10 (location, client, user, time, idle_time)

Marshall a NetSessInfo type 10.

   typedef struct {
       [string,charset(UTF16)] uint16 *client;
       [string,charset(UTF16)] uint16 *user;
       uint32 time;
       uint32 idle_time;
   } srvsvc_NetSessInfo10;

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• client: The client string.
• user: The user string.
• time: The number of seconds that the user has been logged on.
• idle_time: The number of seconds that the user's been idle.

Return value:

A string representing the marshalled data.

marshall_srvsvc_NetShareCtr (level, data)

Marshall the top-level NetShareCtr. This is a union of a bunch of different containers:

   typedef union {
       [case(0)] srvsvc_NetShareCtr0 *ctr0;
       [case(1)] srvsvc_NetShareCtr1 *ctr1;
       [case(2)] srvsvc_NetShareCtr2 *ctr2;
       [case(501)] srvsvc_NetShareCtr501 *ctr501;
       [case(502)] srvsvc_NetShareCtr502 *ctr502;
       [case(1004)] srvsvc_NetShareCtr1004 *ctr1004;
       [case(1005)] srvsvc_NetShareCtr1005 *ctr1005;
       [case(1006)] srvsvc_NetShareCtr1006 *ctr1006;
       [case(1007)] srvsvc_NetShareCtr1007 *ctr1007;
       [case(1501)] srvsvc_NetShareCtr1501 *ctr1501;
       [default] ;
   } srvsvc_NetShareCtr;

Not all of them are implemented, however; look at the code to see which are implemented (at the time of this writing, it's 0, 1, and 2).

Parameters

• level: The level to request. Different levels will return different results, but also require different access levels to call.
• data: The data to populate the array with. Depending on the level, this data will be different. For level 0, you'll probably want a table containing array=nil.

Return value:

A string representing the marshalled data, or 'nil' if it couldn't be marshalled.

marshall_srvsvc_NetShareCtr0 (NetShareCtr0)

Marshall a NetShareCtr (container) type 0. It is a simple array with the following definition:

    typedef struct {
       uint32 count;
       [size_is(count)] srvsvc_NetShareInfo0 *array;
   } srvsvc_NetShareCtr0;

Parameters

• NetShareCtr0: A table representing the structure.

Return value:

A string representing the marshalled data.

marshall_srvsvc_NetShareCtr1 (NetShareCtr1)

Marshall a NetShareCtr (container) type 1. It is a simple array with the following definition:

   typedef struct {
       uint32 count;
       [size_is(count)] srvsvc_NetShareInfo1 *array;
   } srvsvc_NetShareCtr1;

Parameters

• NetShareCtr1: A table representing the structure.

Return value:

A string representing the marshalled data.

marshall_srvsvc_NetShareCtr2 (NetShareCtr2)

Marshall a NetShareCtr (container) type 2. It is a simple array with the following definition:

   typedef struct {
       uint32 count;
       [size_is(count)] srvsvc_NetShareInfo2 *array;
   } srvsvc_NetShareCtr2;

Parameters

• NetShareCtr2: A pointer to the structure.

Return value:

A string representing the marshalled data.

marshall_srvsvc_NetShareInfo0 (location, name)

Marshall a NetShareInfo type 0, which is just a name.

   typedef struct {
       [string,charset(UTF16)] uint16 *name;
   } srvsvc_NetShareInfo0;

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• name: The name to marshall.

Return value:

A string representing the marshalled data.

marshall_srvsvc_NetShareInfo1 (location, name, sharetype, comment)

Marshall a NetShareInfo type 1, which is the name and a few other things.

   typedef struct {
       [string,charset(UTF16)] uint16 *name;
       srvsvc_ShareType type;
       [string,charset(UTF16)] uint16 *comment;
   } srvsvc_NetShareInfo1;

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• name: The name to marshall.
• sharetype: The sharetype to marshall (as a string).
• comment: The comment to marshall.

Return value:

A string representing the marshalled data.

marshall_srvsvc_NetShareInfo2 (location, name, sharetype, comment, permissions, max_users, current_users, path, password)

Marshall a NetShareInfo type 2, which is the name and a few other things.

   typedef struct {
       [string,charset(UTF16)] uint16 *name;
       srvsvc_ShareType type;
       [string,charset(UTF16)] uint16 *comment;
       uint32 permissions;
       uint32 max_users;
       uint32 current_users;
       [string,charset(UTF16)] uint16 *path;
       [string,charset(UTF16)] uint16 *password;
   } srvsvc_NetShareInfo2;

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• name: The name to marshall.
• sharetype: The sharetype to marshall (as a string).
• comment: The comment to marshall.
• permissions: The permissions, an integer.
• max_users: The max users, an integer.
• current_users: The current users, an integer.
• path: The path, a string.
• password: The share-level password, a string (never used on Windows).

Return value:

A string representing the marshalled data.

marshall_srvsvc_ShareType (sharetype)

Marshall a srvsvc_ShareType. This datatype is tied to the table above with that name.

Parameters

• sharetype: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

marshall_svcctl_ControlCode (flags)

Marshall a svcctl_ControlCode. This datatype is tied to the table above with that name.

Parameters

• flags: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

marshall_svcctl_State (flags)

Marshall a svcctl_State. This datatype is tied to the table above with that name.

Parameters

• flags: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

marshall_svcctl_Type (flags)

Marshall a svcctl_Type. This datatype is tied to the table above with that name.

Parameters

• flags: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

marshall_unicode (str, do_null, max_length)

Marshall a string that is in the format: [string,charset(UTF16)] uint16 *str

This has the max size of the buffer, the offset (I'm not sure what the offset does, I've never seen it used), the actual size, and the string itself. This will always align to the 4-byte boundary.

Parameters

• str: The string to insert. Cannot be nil.
• do_null: [optional] Appends a null to the end of the string. Default false.
• max_length: [optional] Sets a max length that's different than the string's length. Length is in characters, not bytes.

Return value:

A string representing the marshalled data.

marshall_unicode_array (strings, do_null)

Marshall an array of unicode strings. This is a perfect demonstration of how to use marshall_array.

Parameters

• strings: The array of strings to marshall
• do_null: [optional] Appends a null to the end of the string. Default false.

Return value:

A string representing the marshalled data.

marshall_unicode_array_ptr (strings, do_null)

Marshall a pointer to an array of unicode strings. See marshall_unicode_array for more information.

Parameters

• strings: The array of strings to marshall
• do_null: [optional] Appends a null to the end of the string. Default false.

Return value:

A string representing the marshalled data.

marshall_unicode_ptr (str, do_null, max_length)

Marshall a pointer to a unicode string.

Parameters

• str: The string to insert. Can be nil.
• do_null: [optional] Appends a null to the end of the string. Default false.
• max_length: [optional] Sets a max length that's different than the string's length. Length is in characters, not bytes.

Return value:

A string representing the marshalled data.

marshall_winreg_AccessMask (accessmask)

Marshall a winreg_AccessMask.

Parameters

• accessmask: The access mask as a string (see the winreg_AccessMask table)

Return value:

A string representing the marshalled data.

marshall_winreg_String (table, max_length)

A winreg_String has the same makup as a winreg_StringBuf, as far as I can tell, so delegate to that function.

Parameters

• table: The table representing the String.
• max_length: [optional] The maximum size of the buffer, in characters. Defaults to the length of the string, including the null.

Return value:

A string representing the marshalled data.

marshall_winreg_StringBuf (table, max_length)

A winreg_stringbuf is a buffer that holds a null-terminated string. It can have a max size that's different from its actual size.

This is the format:

	typedef struct {
		[value(strlen_m_term(name)*2)] uint16 length; 
		uint16 size;
		[size_is(size/2),length_is(length/2),charset(UTF16)] uint16 *name;
	} winreg_StringBuf;

Parameters

• table: The table to marshall. Will probably contain just the 'name' entry.
• max_length: [optional] The maximum size of the buffer, in characters, including the null terminator. Defaults to the length of the string, including the null.

Return value:

A string representing the marshalled data.

marshall_winreg_StringBuf_ptr (table, max_length)

Marshall a winreg_StringBuffer pointer. Same as marshall_winreg_StringBuf, except the string can be nil.

Parameters

• table: The table representing the String.
• max_length: [optional] The maximum size of the buffer, in characters. Defaults to the length of the string, including the null.

Return value:

A string representing the marshalled data.

marshall_winreg_Type (winregtype)

Marshall a winreg_Type. This datatype is tied to the table above with that name.

Parameters

• winregtype: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

marshall_winreg_Type_ptr (winreg_type)

Marshall a pointer to a winreg_Type. This datatype is tied to the table above with that name.

Parameters

• winreg_type: The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.

samr_AcctFlags_tostr (val)

Convert a samr_AcctFlags value to a string that can be shown to the user. This is based on the <code>_str</table> table.

Parameters

• val: The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.

samr_ConnectAccessMask_tostr (val)

Convert a samr_ConnectAccessMask value to a string that can be shown to the user. This is based on the <code>_str</table> table.

Parameters

• val: The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.

samr_DomainAccessMask_tostr (val)

Convert a samr_DomainAccessMask value to a string that can be shown to the user. This is based on the <code>_str</table> table.

Parameters

• val: The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.

samr_PasswordProperties_tostr (val)

Convert a samr_PasswordProperties value to a string that can be shown to the user. This is based on the <code>_str</table> table.

Parameters

• val: The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.

srvsvc_ShareType_tostr (val)

Convert a srvsvc_ShareType value to a string that can be shown to the user. This is based on the <code>_str</table> table.

Parameters

• val: The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.

string_to_unicode (string, do_null)

Convert a string to fake unicode (ascii with null characters between them), optionally add a null terminator, and optionally align it to 4-byte boundaries. This is frequently used in MSRPC calls, so I put it here, but it might be a good idea to move this function (and the converse one below) into a separate library.

Parameters

• string: The string to convert.
• do_null: [optional] Add a null-terminator to the unicode string. Default false.

Return value:

The unicode version of the string.

svcctl_ControlCode_tostr (val)

Convert a svcctl_ControlCode value to a string that can be shown to the user. This is based on the <code>_str</table> table.

Parameters

• val: The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.

unicode_to_string (buffer, pos, length, do_null)

Read a unicode string from a buffer, similar to how bin.unpack would, optionally eat the null terminator, and optionally align it to 4-byte boundaries.

Parameters

• buffer: The buffer to read from, typically the full 'arguments' value for MSRPC
• pos: The position in the buffer to start (just like bin.unpack)
• length: The number of ascii characters that will be read (including the null, if do_null is set).
• do_null: [optional] Remove a null terminator from the string as the last character. Default false.

Return value:

(pos, string) The new position and the string read, again imitating bin.unpack. If there was an attempt to read off the end of the string, then 'nil' is returned for both parameters.

unmarshall_array (data, pos, count, func, args)

Unmarshalls an array. This function starts to get a little hairy, due to the number of parameters that need to be propagated, but it isn't too bad. Basically, this unmarshalls an array by calling the given function for each element.

The function func has to conform to a very specific prototype:

func(location, data, pos, result, <args>)

Where <code>location<code> is the standard HEAD/BODY location, <code>data<code> and <code>pos<code> are the packet and position within it, <code>result<code> is the result from the HEAD section (if it's nil, it isn't used), and <code>args<code> are arbitrary arguments passed to it.

I made the call to pass the same arguments to each function when it's called. This is, for example, whether or not to null-terminate a string, or whether or not to pad an int16. If different types are required, you're probably out of luck.

Parameters

• data: The data being processed.
• pos: The position within data.
• count: The number of elements in the array.
• func: The function to call to unmarshall each parameter. Has to match a specific prototype; see the function comment.
• args: Arbitrary arguments to pass to the function.

Return value:

(pos, result) The new position and the result of unmarshalling this value.

unmarshall_dom_sid2 (data, pos)

Unmarshall a struct with the following definition:

   typedef [public,gensize,noprint,noejs,nosize] struct {
       uint8  sid_rev_num;             /**< SID revision number */
       [range(0,15)] int8  num_auths;  /**< Number of sub-authorities */
       uint8  id_auth[6];              /**< Identifier Authority */
       uint32 sub_auths[num_auths];
   } dom_sid;

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_dom_sid2_ptr (data, pos)

Unmarshall a pointer to a dom_sid2 struct. See the unmarshall_dom_sid2 function for more information.

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_Enum16 (data, pos, table, default, pad)

Unmarshall an entry in a table. Basically, converts the next int16 in the buffer to a string based on the entries in table before returning.

Parameters

• data: The data packet.
• pos: The position within the data.
• table: The table to use for lookups. The keys should be the names, and the values should be the numbers.
• default: The default value to return if the lookup was unsuccessful.
• pad: [optional] If set, will ensure that we end up on an even multiple of 4. Default: true.

Return value:

(pos, policy_handle) The new position, and a table representing the policy_handle.

unmarshall_Enum32 (data, pos, table, default)

Unmarshall an entry in a table. Basically, converts the next int32 in the buffer to a string based on the entries in table before returning.

Parameters

• data: The data packet.
• pos: The position within the data.
• table: The table to use for lookups. The keys should be the names, and the values should be the numbers.
• default: The default value to return if the lookup was unsuccessful.

Return value:

(pos, policy_handle) The new position, and a table representing the policy_handle.

unmarshall_Enum32_array (data, pos, table)

Similar to unmarshall_Enum32, except it'll return every value that could be ANDed together to create the resulting value (except a 0 value). This is effective for parsing flag data types.

Parameters

• data: The data packet.
• pos: The position within the data.
• table: The table to use for lookups. The keys should be the names, and the values should be the numbers.

Return value:

(pos, array) The new position, and a table representing the enumeration values.

unmarshall_guid (data, pos)

Unmarshalls a GUID. See marshall_guid for the structure.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_hyper (data, pos)

Unmarshalls a hyper. I have no idea what a hyper is, just that it seems to be a 64-bit data type used for measuring time, and that the units happen to be negative microseconds. This function converts the value to seconds and returns it.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, val) The new position, and the result in seconds.

unmarshall_int16 (data, pos, pad)

Unmarshall an int16. See marshall_int16 for more information.

Parameters

• data: The data packet.
• pos: The position within the data.
• pad: [optional] If set, will remove extra bytes to align the packet, Default: true

Return value:

(pos, int16) The new position, and the value.

unmarshall_int16_ptr (data, pos, pad)

Unmarshall a pointer to an int16. See marshall_int16_ptr for more information.

Parameters

• data: The data packet.
• pos: The position within the data.
• pad: [optional] If set, will remove extra bytes to align the packet, Default: true

Return value:

(pos, int16) The new position, and the value.

unmarshall_int32 (data, pos)

Unmarshall an int32. See marshall_int32 for more information.

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, int32) The new position, and the value.

unmarshall_int32_array (data, pos, count)

Unmarshall an array of int32s.

Parameters

• data: The data packet.
• pos: The position within the data.
• count:

Return value:

(pos, str) The position, and the resulting string, which cannot be nil.

unmarshall_int32_array_ptr (data, pos)

Unmarshall a pointer to an array of int32s.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, str) The position, and the resulting string, which cannot be nil.

unmarshall_int32_ptr (data, pos)

Unmarshall a pointer to an int32. See marshall_int32_ptr for more information.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, int32) The new position, and the value.

unmarshall_int64 (data, pos)

Unmarshall an int64. See marshall_int64 for more information.

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, int64) The new position, and the value.

unmarshall_int8 (data, pos, pad)

Unmarshall an int8. See marshall_int8 for more information.

Parameters

• data: The data packet.
• pos: The position within the data.
• pad: [optional] If set, will remove extra bytes to align the packet, Default: true

Return value:

(pos, int8) The new position, and the value.

unmarshall_int8_array (data, pos, pad)

Unmarshall an array of int8s.

Parameters

• data: The data packet.
• pos: The position within the data.
• pad: [optional] If set to true, will align data on 4-byte boundaries. Default: true.

Return value:

(pos, str) The position, and the resulting string, which cannot be nil.

unmarshall_int8_array_ptr (data, pos, pad)

Unmarshall a pointer to an array of int8s. By default, aligns the result to 4-byte boundaries.

Parameters

• data: The data packet.
• pos: The position within the data.
• pad: [optional] If set to true, will align data on 4-byte boundaries. Default: true.

Return value:

(pos, str) The position, and the resulting string, which cannot be nil.

unmarshall_int8_ptr (data, pos, pad)

Unmarshall a pointer to an int8. See marshall_int8_ptr for more information.

Parameters

• data: The data packet.
• pos: The position within the data.
• pad: [optional] If set, will remove extra bytes to align the packet, Default: true

Return value:

(pos, int8) The new position, and the value.

unmarshall_lsa_DomainInfo (location, data, pos, result)

Unmarshall a struct with the following definition:

   typedef struct {
       lsa_StringLarge name;
       dom_sid2 *sid;
   } lsa_DomainInfo;

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• data: The data being processed.
• pos: The position within data.
• result: This is required when unmarshalling the BODY section, which always comes after unmarshalling the HEAD. It is the result returned for this parameter during the HEAD unmarshall. If the referent_id was '0', then this function doesn't unmarshall anything.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_lsa_LookupNamesLevel (data, pos)

Unmarshall a lsa_LookupNamesLevel. This datatype is tied to the table with that name.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.

unmarshall_lsa_RefDomainList (data, pos)

Unmarshall a struct with the following definition:

   typedef struct {
       [range(0,1000)] uint32 count;
       [size_is(count)] lsa_DomainInfo *domains;
       uint32 max_size;
   } lsa_RefDomainList;

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_lsa_RefDomainList_ptr (data, pos)

Unmarshall a pointer to a lsa_RefDomainList. See the unmarshall_lsa_RefDomainList function for more information.

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_lsa_SidArray (data, pos)

Unmarshall a struct with the following definition:

typedef [public] struct { [range(0,1000)] uint32 num_sids; [size_is(num_sids)] lsa_SidPtr *sids; } lsa_SidArray;

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_lsa_SidPtr (location, data, pos, result)

Unmarshall a struct with the following definition: typedef struct { dom_sid2 *sid; } lsa_SidPtr;

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• data: The data being processed.
• pos: The position within data.
• result: This is required when unmarshalling the BODY section, which always comes after unmarshalling the HEAD. It is the result returned for this parameter during the HEAD unmarshall. If the referent_id was '0', then this function doesn't unmarshall anything.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_lsa_SidType (data, pos)

Unmarshall a lsa_SidType. This datatype is tied to the table with that name.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.

unmarshall_lsa_String_internal (location, data, pos, result)

Unmarshall a lsa_String value. See marshall_lsa_String_internal for more information.

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• data: The data packet.
• pos: The position within the data.
• result: This is required when unmarshalling the BODY section, which always comes after unmarshalling the HEAD. It is the result returned for this parameter during the HEAD unmarshall. If the referent_id was '0', then this function doesn't unmarshall anything.

Return value:

(pos, str) The new position, and the unmarshalled string.

unmarshall_lsa_StringLarge (location, data, pos, result)

Marshall a struct with the following definition:

   typedef [public] struct {
       [value(2*strlen_m(string))] uint16 length;
       [value(2*(strlen_m(string)+1))] uint16 size;
       [charset(UTF16),size_is(size/2),length_is(length/2)] uint16 *string;
   } lsa_StringLarge;

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• data: The data being processed.
• pos: The position within data.
• result: This is required when unmarshalling the BODY section, which always comes after unmarshalling the HEAD. It is the result returned for this parameter during the HEAD unmarshall. If the referent_id was '0', then this function doesn't unmarshall anything.

Return value:

(pos, result) The new position in data, and the string value.

unmarshall_lsa_TranslatedSid2 (location, data, pos, result)

Unmarshall a struct with the following definition:

   typedef struct {
       lsa_SidType sid_type;
       uint32 rid;
       uint32 sid_index;
       uint32 unknown;
   } lsa_TranslatedSid2;

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• data: The data being processed.
• pos: The position within data.
• result: This is required when unmarshalling the BODY section, which always comes after unmarshalling the HEAD. It is the result returned for this parameter during the HEAD unmarshall. If the referent_id was '0', then this function doesn't unmarshall anything.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_lsa_TransNameArray2 (data, pos)

Unmarshall a lsa_TransNameArray2 structure. See the marshall_lsa_TransNameArray2 for more information.

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_lsa_TransSidArray2 (data, pos)

Unmarshall a struct with the following definition:

   typedef struct {
       [range(0,1000)] uint32 count;
       [size_is(count)] lsa_TranslatedSid2 *sids;
   } lsa_TransSidArray2;

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_NTTIME (data, pos)

Unmarshalles an NTTIME. See marshall_NTTIME for more information.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, time) The new position, and the time in seconds since 1970.

unmarshall_NTTIME_ptr (data, pos)

Unmarshalles an NTTIME*.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, time) The new position, and the time in seconds since 1970.

unmarshall_policy_handle (data, pos)

Unmarshalls a policy_handle. See marshall_policy_handle for the structure.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_ptr (location, data, pos, func, args, result)

Unmarshalls a pointer by removing the referent_id in the HEAD section and the data in the BODY section (or both in the ALL section). Because the unmarshall function for the body is called if and only if the referent_id is non-zero, if the head and the body are split apart, the second call to this function has to know the context. This is the purpose for the result parameter, it is the result from the first time this is called.

The function func has to conform to this format:

func(data, pos, <args>)

Parameters

• location: The part of the pointer being processed, either HEAD (for the referent_id), BODY (for the pointer data), or ALL (for both together). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• data: The data being processed.
• pos: The position within data
• func: The function that's used to process the body data (only called if it isn't a null pointer). This function has to conform to a specific prototype, see above.
• args: The arguments that'll be passed to the function func, after the data array and the position.
• result: This is required when unmarshalling the BODY section, which always comes after unmarshalling the HEAD. It is the result returned for this parameter during the HEAD unmarshall. If the referent_id was '0', then this function doesn't unmarshall anything.

Return value:

(pos, result) The new position along with the result. For HEAD the result is either true for valid pointers or false for null pointers. For BODY or ALL, the result is nil for null pointers, or the data for valid pointers.

unmarshall_raw (data, pos, length)

Unmarshall raw data.

Parameters

• data: The data packet.
• pos: The position within the data.
• length: The number of bytes to unmarshall.

Return value:

(pos, data) The new position in the packet, and a string representing the raw data.

unmarshall_samr_AcctFlags (data, pos)

Unmarshall a samr_AcctFlags. This datatype is tied to the table with that name.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.

unmarshall_samr_ConnectAccessMask (data, pos)

Unmarshall a samr_ConnectAccessMask. This datatype is tied to the table with that name.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_samr_DispEntryGeneral (location, data, pos, result)

Unmarshall a struct with the following definition:

   typedef struct {
       uint32    idx;
       uint32    rid;
       samr_AcctFlags acct_flags;
       lsa_String account_name;
       lsa_String description;
       lsa_String full_name;
   } samr_DispEntryGeneral;

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• data: The data being processed.
• pos: The position within data.
• result: This is required when unmarshalling the BODY section, which always comes after unmarshalling the HEAD. It is the result returned for this parameter during the HEAD unmarshall. If the referent_id was '0', then this function doesn't unmarshall anything.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_samr_DispInfo (data, pos)

Unmarshall a struct with the following definition:

   typedef [switch_type(uint16)] union {
       [case(1)] samr_DispInfoGeneral info1;/* users */
       [case(2)] samr_DispInfoFull info2; /* trust accounts? */
       [case(3)] samr_DispInfoFullGroups info3; /* groups */
       [case(4)] samr_DispInfoAscii info4; /* users */
       [case(5)] samr_DispInfoAscii info5; /* groups */
   } samr_DispInfo;

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype. It may also return nil, if there was an error.

unmarshall_samr_DispInfoGeneral (data, pos)

Unmarshall a struct with the following definition:

   typedef struct {
       uint32 count;
       [size_is(count)] samr_DispEntryGeneral *entries;
   } samr_DispInfoGeneral;

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_samr_DomainAccessMask (data, pos)

Unmarshall a samr_DomainAccessMask. This datatype is tied to the table with that name.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_samr_DomainInfo (data, pos)

Unmarshall a union with the following definition:

	typedef [switch_type(uint16)] union {
		[case(1)] samr_DomInfo1 info1;
		[case(2)] samr_DomInfo2 info2;
		[case(3)] samr_DomInfo3 info3;
		[case(4)] samr_DomInfo4 info4;
		[case(5)] samr_DomInfo5 info5;
		[case(6)] samr_DomInfo6 info6;
		[case(7)] samr_DomInfo7 info7;
		[case(8)] samr_DomInfo8 info8;
		[case(9)] samr_DomInfo9 info9;
		[case(11)] samr_DomInfo11 info11;
		[case(12)] samr_DomInfo12 info12;
		[case(13)] samr_DomInfo13 info13;
	} samr_DomainInfo;

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype. May return nil if there was an error.

unmarshall_samr_DomainInfo_ptr (data, pos)

Unmarshall a pointer to a samr_DomainInfo. See unmarshall_samr_DomainInfo for more information.

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype. May return nil if there was an error.

unmarshall_samr_DomInfo1 (data, pos)

Unmarshall a struct with the following definition:

	typedef struct {
		uint16 min_password_length;
		uint16 password_history_length;
		samr_PasswordProperties password_properties;
		/* yes, these are signed. They are in negative 100ns */
		dlong  max_password_age;
		dlong  min_password_age;
	} samr_DomInfo1;

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_samr_DomInfo12 (data, pos)

Unmarshall a struct with the following definition:

	typedef struct {
		hyper lockout_duration;
		hyper lockout_window;
		uint16 lockout_threshold;
	} samr_DomInfo12;

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_samr_DomInfo8 (data, pos)

Unmarshall a struct with the following definition:

	typedef struct {
		hyper sequence_num;
		NTTIME domain_create_time;
	} samr_DomInfo8;

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_samr_Ids (data, pos)

Unmarshall a structure with the following definition:

   typedef struct {
       [range(0,1024)]  uint32 count;
       [size_is(count)] uint32 *ids;
   } samr_Ids;

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype. May return nil if there was an error.

unmarshall_samr_PasswordProperties (data, pos)

Unmarshall a samr_PasswordProperties. This datatype is tied to the table with that name.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.

unmarshall_samr_SamArray (data, pos)

Unmarshall a struct with the following definition:

   typedef struct {
       uint32 count;
       [size_is(count)] samr_SamEntry *entries;
   } samr_SamArray;

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_samr_SamArray_ptr (data, pos)

Unmarshall a pointer to a samr_SamArray type. See unmarshall_samr_SamArray for more information.

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_samr_SamEntry (location, data, pos, result)

Unmarshall a struct with the following definition:

   typedef struct {
       uint32 idx;
       lsa_String name;
   } samr_SamEntry;

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• data: The data being processed.
• pos: The position within data.
• result: This is required when unmarshalling the BODY section, which always comes after unmarshalling the HEAD. It is the result returned for this parameter during the HEAD unmarshall. If the referent_id was '0', then this function doesn't unmarshall anything.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_SERVICE_STATUS (data, pos)

Unmarshall a SERVICE_STATUS struct, converting it to a table. The structure is as follows:

   typedef struct {
       uint32 type;
       uint32 state;
       uint32 controls_accepted;
       WERROR win32_exit_code;
       uint32 service_exit_code;
       uint32 check_point;
       uint32 wait_hint;
   } SERVICE_STATUS;

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, table) The new position, and the table of values.

unmarshall_srvsvc_NetSessCtr (data, pos)

Unmarshall the top-level NetShareCtr. This is a union; see the marshall function for more information.

Parameters

• data: The data being processed.
• pos: The position within data

Return value:

(pos, result) The new position in data, and a table representing the datatype. Can be nil if there's an error.

unmarshall_srvsvc_NetSessCtr10 (data, pos)

Unmarshall a NetSessCtr (session container) type 10. See the marshall function for the definition.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_srvsvc_NetSessInfo10 (location, data, pos, result)

Unmarshall a NetSessInfo type 10. For more information, see the marshall function.

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• data: The data packet.
• pos: The position within the data.
• result: This is required when unmarshalling the BODY section, which always comes after unmarshalling the HEAD. It is the result returned for this parameter during the HEAD unmarshall. If the referent_id was '0', then this function doesn't unmarshall anything.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_srvsvc_NetShareCtr (data, pos)

Unmarshall the top-level NetShareCtr. This is a union of a bunch of containers, see the equivalent marshall function for more information; at the time of this writing I've only implemented level = 0.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, result) The new position in data, and a table representing the datatype. The result may be nil if there's an error.

unmarshall_srvsvc_NetShareCtr0 (data, pos)

Unmarshall a NetShareCtr (container) type 0. See the marshall function for the definition.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_srvsvc_NetShareInfo (data, pos)

Unmarshall the top-level NetShareInfo. This is a union of a bunch of different structs:

   typedef union {
       [case(0)] srvsvc_NetShareInfo0 *info0;
       [case(1)] srvsvc_NetShareInfo1 *info1;
       [case(2)] srvsvc_NetShareInfo2 *info2;
       [case(501)] srvsvc_NetShareInfo501 *info501;
       [case(502)] srvsvc_NetShareInfo502 *info502;
       [case(1004)] srvsvc_NetShareInfo1004 *info1004;
       [case(1005)] srvsvc_NetShareInfo1005 *info1005;
       [case(1006)] srvsvc_NetShareInfo1006 *info1006;
       [case(1007)] srvsvc_NetShareInfo1007 *info1007;
       [case(1501)] sec_desc_buf *info1501;
       [default] ;
   } srvsvc_NetShareInfo;

Not all of them are implemented, however; look at the code to see which are implemented (at the time of this writing, it's 0, 1, and 2).

Parameters

• data: The data being processed.
• pos: The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype. This may be nil if there was an error.

unmarshall_srvsvc_NetShareInfo0 (location, data, pos, result)

Unmarshall a NetShareInfo type 0, which is just a name. See the marshall function for more information.

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• data: The data packet.
• pos: The position within the data.
• result: This is required when unmarshalling the BODY section, which always comes after unmarshalling the HEAD. It is the result returned for this parameter during the HEAD unmarshall. If the referent_id was '0', then this function doesn't unmarshall anything.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_srvsvc_NetShareInfo1 (location, data, pos, result)

Unmarshall a NetShareInfo type 1, which is a name and a couple other things. See the marshall function for more information.

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• data: The data packet.
• pos: The position within the data.
• result: This is required when unmarshalling the BODY section, which always comes after unmarshalling the HEAD. It is the result returned for this parameter during the HEAD unmarshall. If the referent_id was '0', then this function doesn't unmarshall anything.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_srvsvc_NetShareInfo2 (location, data, pos, result)

Unmarshall a NetShareInfo type 2, which is a name and a few other things. See the marshall function for more information.

Parameters

• location: The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
• data: The data packet.
• pos: The position within the data.
• result: This is required when unmarshalling the BODY section, which always comes after unmarshalling the HEAD. It is the result returned for this parameter during the HEAD unmarshall. If the referent_id was '0', then this function doesn't unmarshall anything.

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_srvsvc_ShareType (data, pos)

Unmarshall a srvsvc_ShareType. This datatype is tied to the table with that name.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.

unmarshall_srvsvc_Statistics (data, pos)

Unmarshall a srvsvc_Statistics packet. This is basically a great big struct:

   typedef struct {
       uint32 start;
       uint32 fopens;
       uint32 devopens;
       uint32 jobsqueued;
       uint32 sopens;
       uint32 stimeouts;
       uint32 serrorout;
       uint32 pwerrors;
       uint32 permerrors;
       uint32 syserrors;
       uint32 bytessent_low;
       uint32 bytessent_high;
       uint32 bytesrcvd_low;
       uint32 bytesrcvd_high;
       uint32 avresponse;
       uint32 reqbufneed;
       uint32 bigbufneed;
   } srvsvc_Statistics;

Note that Wireshark (at least, the version I'm using, 1.0.3) gets this wrong, so be careful.

Parameters

• data: The data being processed.
• pos: The position within data

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_srvsvc_Statistics_ptr (data, pos)

Unmarshalls a srvsvc_Statistics as a pointer. Wireshark fails to do this, and ends up parsing the packet wrong, so take care when packetlogging.

See unmarshall_srvsvc_Statistics for more information.

Parameters

• data: The data being processed.
• pos: The position within data

Return value:

(pos, result) The new position in data, and a table representing the datatype.

unmarshall_struct (data, pos, func, args)

Call a function that matches the prototype for unmarshall_array. This allows the same struct to be used in unmarshall_array and in unmarshall_ptr. It is kind of a kludge, but it makes sense, and was the cleanest solution I could come up with to this problem (although I'm sure that there's a better one staring me in the face).

The func parameter, obviously, has to match the same prototype as strings being passed to unmarshall_array, which is:

func(location, data, pos, result, <args>)

Parameters

• data: The data being processed.
• pos: The position within data.
• func: The function to call to unmarshall each parameter. Has to match a specific prototype; see the function comment.
• args: Arbitrary arguments to pass to the function.

Return value:

(pos, result) The new position and the result of unmarshalling this value.

unmarshall_svcctl_ControlCode (data, pos)

Unmarshall a svcctl_ControlCode. This datatype is tied to the table with that name.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.

unmarshall_svcctl_State (data, pos)

Unmarshall a svcctl_State. This datatype is tied to the table with that name.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.

unmarshall_svcctl_Type (data, pos)

Unmarshall a svcctl_Type. This datatype is tied to the table with that name.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.

unmarshall_SYSTEMTIME (data, pos)

Unmarshall a SYSTEMTIME structure, converting it to a standard representation. The structure is a follows:

	 typedef struct _SYSTEMTIME {
	   WORD wYear;
	   WORD wMonth;
	   WORD wDayOfWeek;
	   WORD wDay;
	   WORD wHour;
	   WORD wMinute;
	   WORD wSecond;
	   WORD wMilliseconds;
	 } SYSTEMTIME

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, time) The new position, and the time in seconds since 1970.

unmarshall_unicode (data, pos, do_null)

Unmarshall a string that is in the format: [string,charset(UTF16)] uint16 *str

See marshall_unicode for more information.

Parameters

• data: The data buffer.
• pos: The position in the data buffer.
• do_null: [optional] Discards the final character, the string terminator. Default false.

Return value:

(pos, str) The new position, and the string. The string may be nil.

unmarshall_unicode_ptr (data, pos, do_null)

Unmarshall a pointer to a unicode string.

Parameters

• data: The data being processed.
• pos: The position within data.
• do_null: [optional] Assumes a null is at the end of the string. Default false.

Return value:

(pos, result) The new position and the string.

unmarshall_winreg_AccessMask (data, pos)

Unmarshall a winreg_AccessMask. This datatype is tied to the table with that name.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.

unmarshall_winreg_String (data, pos)

Unmarshall a winreg_String. Since ti has the same makup as winreg_StringBuf, delegate to that.

Parameters

• data: The data buffer.
• pos: The position in the data buffer.

Return value:

(pos, str) The new position and the string.

unmarshall_winreg_StringBuf (data, pos)

Unmarshall a winreg_StringBuf buffer.

Parameters

• data: The data buffer.
• pos: The position in the data buffer.

Return value:

(pos, str) The new position and the string.

unmarshall_winreg_StringBuf_ptr (data, pos)

Unmarshall a winreg_StringBuffer pointer

Parameters

• data: The data buffer.
• pos: The position in the data buffer.

Return value:

(pos, str) The new position and the string.

unmarshall_winreg_Type (data, pos)

Unmarshall a winreg_Type. This datatype is tied to the table with that name.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.

unmarshall_winreg_Type_ptr (data, pos)

Unmarshall a pointer to a winreg_Type. This datatype is tied to the table with that name.

Parameters

• data: The data packet.
• pos: The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.

winreg_AccessMask_tostr (val)

Convert a winreg_AccessMask value to a string that can be shown to the user. This is based on the <code>_str</table> table.

Parameters

• val: The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.

winreg_Type_tostr (val)

Convert a winreg_Type value to a string that can be shown to the user. This is based on the <code>_str</table> table.

Parameters

• val: The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.