Library msrpctypes

This module was written to marshall parameters for Microsoft RPC (MSRPC) calls. The values passed in and out are based on structs defined by the protocol, and documented by Samba developers. For detailed breakdowns of the types, take a look at Samba 4.0's .idl files.

There is nothing simple about how this all comes together, so I'll take some time to explain how it's done. This is fairly technical and, when it comes right down to it, unnecessary for how to use these functions (although if you want to write one of these, you best understand it).

There are base types, like int32 and int16. These are marshalled the way you'd expect (converted to a 4- or 2-byte little endian string). The only trick with these is that they have to end up aligned on 4-byte boundaries. So, a 2-byte integer requires 2 bytes of padding, and a 1-byte integer requires 3 bytes of padding. The functions marshall_int32, marshall_int16, etc. will marshall the base types, and unmarshall_int32, unmarshall_int16, etc. will unmarshall them.

Strings are a little bit trickier. A string is preceded by three 32-bit values: the max length, the offset, and the length. Additionally, strings may or may not be null terminated, depending on where they're being used. For more information on strings, see the comments on marshall_unicode. The functions marshall_unicode and unmarshall_unicode can be used to marshall/unmarshall strings.

Pointers also have interesting properties. A pointer is preceded by a 4-byte value called (at least by Wireshark) the "referent id". For a valid pointer, this can be anything except 0 (I use 'NMAP' for it). If it's '0', then it's a null pointer and the data doesn't actually follow. To help clarify, a pointer to the integer '4' could be marshalled as the hex string 78 56 34 12 04 00 00 00 (the referent_id is 0x12345678 and the integer itself is 0x00000004). If the integer is nil, then it's marshalled as 00 00 00 00, which is simply a referent_id of 0.

From the perspective of the program, pointers can be marshalled by using the "_ptr" versions of normal functions (for example, marshall_int32_ptr and unmarshall_unicode_ptr. From the perspective of functions within this module, especially functions for marshalling structs and arrays, the marshall_ptr and unmarshall_ptr functions should be used. These can marshall any data type; the marshalling function is passed as a parameter.

So far, this is fairly straight forward. Arrays are where everything falls apart.

An array of basic types is simply the types themselves, preceded by the "max length" of the array (which can be longer than the actual length). When pointers are used in an array, however, things get hairy. The 'referent_id's of the pointers are all put at the start of the array, along with the base types. Then, the data is put at the end of the array, for all the referent_ids that aren't null. Let's say you have four strings, "abc", "def", null, and "jkl", in an array. The array would look like this:

 0x00200000 (referent_id for "abc")
 0x00400000 (referent_id for "def")
 0x00000000 (null referent_id)
 0x00800000 (referent_id for "jkl")
 "abc" (note that this also has the standard string stuff, the max_length, offset, and actual_length)
 "def"
 "ghi"

If you mix in a base type, it goes at the front along with the referent_ids. So, let's say you have a structure that contains two integers and a string. You have an array of these. It would encode like this:

 0x00200000 (referent_id for the string in the first struct)
 0x00000001 (first integer in the first struct)
 0x00000002 (second integer in the first struct)
 0x00400000 (referent_id for the string in the second struct)
 0x00000003 (first integer in the second struct)
 0x00000004 (second integer in the second struct)
 "string1" (contains max_length, offset, and actual_length)
 "string2"

From the perspective of the program, arrays shouldn't need to be marshalled/unmarshalled, this is tricky and should be left up to functions within this module. Functions within this module should use marshall_array and unmarshall_array to interact with arrays. These take callback functions for the datatype being stored in the array; these callback functions have to be in a particular format, so care should be taken when writing them. In particular, the first parameter has to be location, which is used to separate the header (the part with the referent_ids) and the body (the part with the pointer data). These are explained more thoroughly in the function headers.

Structs are handled the same as arrays. The referent_ids and base types go at the top, and the values being pointed to go at the bottom. An array of struct, as has already been shown, will have all the base types and referent_ids for all the members at the top, and all the values for all the pointers at the bottom.

Structs tend to be custom functions. Sometimes, these functions are passed as the callback to marshall_ptr or marshall_array (and the equivalent unmarshall_ functions). This means that the custom struct functions have to be able to split themselves into the base types and the pointer data automatically. For an example, see the functions that have already been written.

In the case where you need to unmarshall the same struct from both an array and a pointer, there's an issue; they require different prototypes. There's really no way to directly fix this, at least, none that I could come up with, so I write a function called unmarshall_struct. unmarshall_struct basically calls a struct unmarshalling function the same way unmarshall_array would. This is a bit of a kludge, but it's the best I could come up with.

There are different sections in here, which correspond to "families" of types. I modeled these after Samba's .idl files. MISC corresponds to misc.idl, LSA to lsa.idl, etc. Each of these sections has possible dependencies; for example, SAMR functions use LSA strings, and everything uses SECURITY and MISC. So the order is important -- dependencies have to go above the module.

The datatypes used here are modeled after the datatypes used by Microsoft's functions. Each function that represents a struct will have the struct definition in its comment; and that struct (or the closest representation to it) will be returned. Often, this requires scripts to access something like result['names']['names'][0]['name'], which is rather unwieldy, but I decided that following Microsoft's definitions was the most usable way for many reasons. I find the best way to figure out how to work a function is to call a print_table()-style function on the result and look at how the response is laid out.

Many datatypes are automatically encoded when sent and decoded when received to make life easier for developers. Some examples are:

  • All absolute time values will be seconds from 1970
  • All relative time values will be in seconds (this includes the hyper datatype); when possible, the milliseconds/microseconds (as far down as we have access to) will be preserved as a decimal
  • All enumerations will be a string representing the constant (which can be converted to a user-readable string using one of the _tostr functions); what that means is, enumeration values are never used, only the names
  • SIDs will be converted to user-readable strings in the standard format (S-x-y-...)
  • GUIDs are stored as tables of values; however, I might change this to a string representation at some point

Source: https://svn.nmap.org/nmap/nselib/msrpctypes.lua

Functions

lsa_LookupNamesLevel_tostr (val)

Convert a lsa_LookupNamesLevel value to a string that can be shown to the user. This is based on the _str table.

lsa_SidType_tostr (val)

Convert a lsa_SidType value to a string that can be shown to the user. This is based on the _str table.

marshall_array (array)

Marshalls an array.

marshall_ascii (str, max_length)

Marshall a null-terminated ascii string, with the length/maxlength prepended. Very similar to marshall_unicode, except it's ascii and the null terminator is always used.

marshall_ascii_ptr (str, max_length)

Marshall a pointer to an ascii string.

marshall_atsvc_DaysOfMonth (flags)

Marshall a atsvc_DaysOfMonth. This datatype is tied to the table above with that name.

marshall_atsvc_DaysOfWeek (flags)

Marshall a atsvc_DaysOfWeek. This datatype is tied to the table above with that name.

marshall_atsvc_Flags (flags)

Marshall a atsvc_Flags. This datatype is tied to the table above with that name.

marshall_atsvc_JobInfo (command, time)

Marshall a JobInfo struct.

marshall_dom_sid2 (sid)

Marshall a dom_sid struct

marshall_int16 (int16, pad)

Marshall an int16

marshall_int16_ptr (int16, pad)

Marshall a pointer to an int16

marshall_int32 (int32)

Marshall an int32

marshall_int32_array (data)

Marshall an array of int32 values.

marshall_int32_ptr (int32)

Marshall a pointer to an int32

marshall_int64 (int64)

Marshall an int64. This is simply an 8-byte integer inserted into the buffer, nothing fancy.

marshall_int64_ptr (int64)

Marshall a pointer to an int64.

marshall_int8 (int8, pad)

Marshall an int8

marshall_int8_array (data, max_length)

Marshall an array of int8s, with an optional max_length set.

marshall_int8_array_ptr (data, max_length)

Marshall a pointer to an array of int8s.

marshall_int8_ptr (int8, pad)

Marshall a pointer to an int8

marshall_lsa_LookupNamesLevel (names_level)

Marshall a lsa_LookupNamesLevel. This datatype is tied to the table above with that name.

marshall_lsa_ObjectAttribute ()

Marshall a lsa_ObjectAttribute struct

marshall_lsa_QosInfo ()

Marshall a lsa_QosInfo struct

marshall_lsa_SidArray (sids)

Marshall a lsa_SidArray struct

marshall_lsa_SidType (sid_type)

Marshall a lsa_SidType. This datatype is tied to the table above with that name.

marshall_lsa_String (str, max_length)

Public version of marshall_lsa_String_internal -- see that function on that for more information. This version doesn't require a location, so it's suitable to be a public function.

marshall_lsa_String_array (strings)

Marshall an array of lsa_String objects. This is a perfect demonstration of how to use marshall_array.

marshall_lsa_String_array2 (strings)

Basically the same as marshall_lsa_String_array, except it has a different structure

marshall_lsa_TransNameArray2 (names)

Marshall a lsa_TransNameArray2 struct

marshall_lsa_TransSidArray2 (sids)

Marshall a lsa_TransSidArray2 struct

marshall_NTTIME (time)

Marshalls an NTTIME.

marshall_NTTIME_ptr (time)

Marshalls an NTTIME*.

marshall_policy_handle (policy_handle)

Marshalls a policy_handle, which looks like this:

marshall_samr_AcctFlags (flags)

Marshall a samr_AcctFlags. This datatype is tied to the table above with that name.

marshall_samr_ConnectAccessMask (accessmask)

Marshall a samr_ConnectAccessMask. This datatype is tied to the table above with that name.

marshall_samr_DomainAccessMask (accessmask)

Marshall a samr_DomainAccessMask. This datatype is tied to the table above with that name.

marshall_samr_PasswordProperties (properties)

Marshall a samr_PasswordProperties. This datatype is tied to the table above with that name.

marshall_srvsvc_NetSessCtr (level, data)

Marshall the top-level NetShareCtr. This is a union of a bunch of different containers:

marshall_srvsvc_NetSessCtr10 (NetSessCtr10)

Marshall a NetSessCtr (session container) type 10.

marshall_srvsvc_NetShareCtr (level, data)

Marshall the top-level NetShareCtr. This is a union of a bunch of different containers:

marshall_srvsvc_NetShareCtr0 (NetShareCtr0)

Marshall a NetShareCtr (container) type 0.

marshall_srvsvc_NetShareCtr1 (NetShareCtr1)

Marshall a NetShareCtr (container) type 1.

marshall_srvsvc_NetShareCtr2 (NetShareCtr2)

Marshall a NetShareCtr (container) type 2.

marshall_srvsvc_ShareType (sharetype)

Marshall a srvsvc_ShareType. This datatype is tied to the table above with that name.

marshall_svcctl_ControlCode (flags)

Marshall a svcctl_ControlCode. This datatype is tied to the table above with that name.

marshall_svcctl_State (flags)

Marshall a svcctl_State. This datatype is tied to the table above with that name.

marshall_svcctl_Type (flags)

Marshall a svcctl_Type. This datatype is tied to the table above with that name.

marshall_unicode (str, do_null, max_length)

Marshall a string that is in the format: [string,charset(UTF16)] uint16 *str

marshall_unicode_array (strings, do_null)

Marshall an array of unicode strings. This is a perfect demonstration of how to use marshall_array.

marshall_unicode_array_ptr (strings, do_null)

Marshall a pointer to an array of unicode strings. See marshall_unicode_array for more information.

marshall_unicode_ptr (str, do_null, max_length)

Marshall a pointer to a unicode string.

marshall_winreg_AccessMask (accessmask)

Marshall a winreg_AccessMask.

marshall_winreg_String (table, max_length)

A winreg_String has the same makeup as a winreg_StringBuf, as far as I can tell, so delegate to that function.

marshall_winreg_StringBuf (table, max_length)

A winreg_stringbuf is a buffer that holds a null-terminated string. It can have a max size that's different from its actual size.

marshall_winreg_StringBuf_ptr (table, max_length)

Marshall a winreg_StringBuffer pointer. Same as marshall_winreg_StringBuf, except the string can be nil.

marshall_winreg_Type (winregtype)

Marshall a winreg_Type. This datatype is tied to the table above with that name.

marshall_winreg_Type_ptr (winreg_type)

Marshall a pointer to a winreg_Type. This datatype is tied to the table above with that name.

samr_AcctFlags_tostr (val)

Convert a samr_AcctFlags value to a string that can be shown to the user. This is based on the _str table.

samr_ConnectAccessMask_tostr (val)

Convert a samr_ConnectAccessMask value to a string that can be shown to the user. This is based on the _str table.

samr_DomainAccessMask_tostr (val)

Convert a samr_DomainAccessMask value to a string that can be shown to the user. This is based on the _str table.

samr_PasswordProperties_tostr (val)

Convert a samr_PasswordProperties value to a string that can be shown to the user. This is based on the _str table.

srvsvc_ShareType_tostr (val)

Convert a srvsvc_ShareType value to a string that can be shown to the user. This is based on the _str table.

string_to_unicode (string, do_null)

Convert a string to Unicode (UTF-16 LE), optionally add a null terminator, and align it to 4-byte boundaries.

svcctl_ControlCode_tostr (val)

Convert a svcctl_ControlCode value to a string that can be shown to the user. This is based on the _str table.

unicode_to_string (buffer, pos, length, do_null)

Read a unicode string from a buffer, optionally eat the null terminator, and optionally align it to 4-byte boundaries.

unmarshall_dom_sid2 (data, pos)

Unmarshall a dom_sid struct

unmarshall_dom_sid2_ptr (data, pos)

Unmarshall a pointer to a dom_sid2 struct. See the unmarshall_dom_sid2 function for more information.

unmarshall_hyper (data, pos)

Unmarshalls a hyper.

unmarshall_int16 (data, pos, pad)

Unmarshall an int16. See marshall_int16 for more information.

unmarshall_int16_ptr (data, pos, pad)

Unmarshall a pointer to an int16. See marshall_int16_ptr for more information.

unmarshall_int32 (data, pos)

Unmarshall an int32. See marshall_int32 for more information.

unmarshall_int32_array (data, pos, count)

Unmarshall an array of int32s.

unmarshall_int32_array_ptr (data, pos)

Unmarshall a pointer to an array of int32s.

unmarshall_int32_ptr (data, pos)

Unmarshall a pointer to an int32. See marshall_int32_ptr for more information.

unmarshall_int64 (data, pos)

Unmarshall an int64. See marshall_int64 for more information.

unmarshall_int8 (data, pos, pad)

Unmarshall an int8. See marshall_int8 for more information.

unmarshall_int8_array (data, pos, pad)

Unmarshall an array of int8s.

unmarshall_int8_array_ptr (data, pos, pad)

Unmarshall a pointer to an array of int8s. By default, aligns the result to 4-byte boundaries.

unmarshall_int8_ptr (data, pos, pad)

Unmarshall a pointer to an int8. See marshall_int8_ptr for more information.

unmarshall_lptstr (w_str, startpos)

Unmarshalls a null-terminated Unicode string (LPTSTR datatype)

unmarshall_lsa_LookupNamesLevel (data, pos)

Unmarshall a lsa_LookupNamesLevel. This datatype is tied to the table with that name.

unmarshall_lsa_RefDomainList (data, pos)

Unmarshall a lsa_RefDomainList struct

unmarshall_lsa_RefDomainList_ptr (data, pos)

Unmarshall a pointer to a lsa_RefDomainList. See the unmarshall_lsa_RefDomainList function for more information.

unmarshall_lsa_SidArray (data, pos)

Unmarshall a lsa_SidArray struct

unmarshall_lsa_SidPtr (location, data, pos, result)

Unmarshall a lsa_SidPtr struct

unmarshall_lsa_SidType (data, pos)

Unmarshall a lsa_SidType. This datatype is tied to the table with that name.

unmarshall_lsa_TransNameArray2 (data, pos)

Unmarshall a lsa_TransNameArray2 structure. See the marshall_lsa_TransNameArray2 for more information.

unmarshall_lsa_TransSidArray2 (data, pos)

Unmarshall a lsa_TransSidArray2 struct

unmarshall_NTTIME (data, pos)

Unmarshalls an NTTIME. See marshall_NTTIME for more information.

unmarshall_NTTIME_ptr (data, pos)

Unmarshalls an NTTIME*.

unmarshall_policy_handle (data, pos)

Unmarshalls a policy_handle. See marshall_policy_handle for the structure.

unmarshall_raw (data, pos, length)

Unmarshall raw data.

unmarshall_samr_AcctFlags (data, pos)

Unmarshall a samr_AcctFlags. This datatype is tied to the table with that name.

unmarshall_samr_ConnectAccessMask (data, pos)

Unmarshall a samr_ConnectAccessMask. This datatype is tied to the table with that name.

unmarshall_samr_DispInfo (data, pos)

Unmarshall a samr_DispInfo struct

unmarshall_samr_DispInfoGeneral (data, pos)

Unmarshall a samr_DispInfoGeneral struct

unmarshall_samr_DomainAccessMask (data, pos)

Unmarshall a samr_DomainAccessMask. This datatype is tied to the table with that name.

unmarshall_samr_DomainInfo (data, pos)

Unmarshall a samr_DomainInfo union

unmarshall_samr_DomainInfo_ptr (data, pos)

Unmarshall a pointer to a samr_DomainInfo. See unmarshall_samr_DomainInfo for more information.

unmarshall_samr_DomInfo1 (data, pos)

Unmarshall a samr_DomInfo1 struct

unmarshall_samr_DomInfo12 (data, pos)

Unmarshall a samr_DomInfo12 struct

unmarshall_samr_DomInfo8 (data, pos)

Unmarshall a samr_DomInfo8 struct

unmarshall_samr_Ids (data, pos)

Unmarshall a samr_Ids struct

unmarshall_samr_PasswordProperties (data, pos)

Unmarshall a samr_PasswordProperties. This datatype is tied to the table with that name.

unmarshall_samr_SamArray (data, pos)

Unmarshall a samr_SamArray struct

unmarshall_samr_SamArray_ptr (data, pos)

Unmarshall a pointer to a samr_SamArray type. See unmarshall_samr_SamArray for more information.

unmarshall_SERVICE_STATUS (data, pos)

Unmarshall a SERVICE_STATUS struct, converting it to a table.

unmarshall_srvsvc_NetSessCtr (data, pos)

Unmarshall the top-level NetShareCtr. This is a union; see the marshall function for more information.

unmarshall_srvsvc_NetSessCtr10 (data, pos)

Unmarshall a NetSessCtr (session container) type 10. See the marshall function for the definition.

unmarshall_srvsvc_NetShareCtr (data, pos)

Unmarshall the top-level NetShareCtr. This is a union of a bunch of containers, see the equivalent marshall function for more information; at the time of this writing I've only implemented level = 0.

unmarshall_srvsvc_NetShareCtr0 (data, pos)

Unmarshall a NetShareCtr (container) type 0. See the marshall function for the definition.

unmarshall_srvsvc_NetShareInfo (data, pos)

Unmarshall the top-level NetShareInfo. This is a union of a bunch of different structs:

unmarshall_srvsvc_ShareType (data, pos)

Unmarshall a srvsvc_ShareType. This datatype is tied to the table with that name.

unmarshall_srvsvc_Statistics (data, pos)

Unmarshall a srvsvc_Statistics packet. This is basically a great big struct:

unmarshall_srvsvc_Statistics_ptr (data, pos)

Unmarshalls a srvsvc_Statistics as a pointer. Wireshark fails to do this, and ends up parsing the packet wrong, so take care when packetlogging.

unmarshall_svcctl_ControlCode (data, pos)

Unmarshall a svcctl_ControlCode. This datatype is tied to the table with that name.

unmarshall_svcctl_State (data, pos)

Unmarshall a svcctl_State. This datatype is tied to the table with that name.

unmarshall_svcctl_Type (data, pos)

Unmarshall a svcctl_Type. This datatype is tied to the table with that name.

unmarshall_SYSTEMTIME (data, pos)

Unmarshall a SYSTEMTIME structure, converting it to a standard representation.

unmarshall_unicode (data, pos, do_null)

Unmarshall a string that is in the format: [string,charset(UTF16)] uint16 *str

unmarshall_unicode_ptr (data, pos, do_null)

Unmarshall a pointer to a unicode string.

unmarshall_winreg_AccessMask (data, pos)

Unmarshall a winreg_AccessMask. This datatype is tied to the table with that name.

unmarshall_winreg_String (data, pos)

Unmarshall a winreg_String. Since it has the same makeup as winreg_StringBuf, delegate to that.

unmarshall_winreg_StringBuf (data, pos)

Unmarshall a winreg_StringBuf buffer.

unmarshall_winreg_StringBuf_ptr (data, pos)

Unmarshall a winreg_StringBuffer pointer

unmarshall_winreg_Type (data, pos)

Unmarshall a winreg_Type. This datatype is tied to the table with that name.

unmarshall_winreg_Type_ptr (data, pos)

Unmarshall a pointer to a winreg_Type. This datatype is tied to the table with that name.

winreg_AccessMask_tostr (val)

Convert a winreg_AccessMask value to a string that can be shown to the user. This is based on the _str table.

winreg_Type_tostr (val)

Convert a winreg_Type value to a string that can be shown to the user. This is based on the _str table.

Functions

lsa_LookupNamesLevel_tostr (val)

Convert a lsa_LookupNamesLevel value to a string that can be shown to the user. This is based on the _str table.

Parameters

val
The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.
lsa_SidType_tostr (val)

Convert a lsa_SidType value to a string that can be shown to the user. This is based on the _str table.

Parameters

val
The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.
marshall_array (array)

Marshalls an array.

Recall (from the module comment) that the data in an array is split into the referent_ids and base types at the top and the data at the bottom. This function will call any number of location-aware functions twice (once for the top and once for the bottom).

Each element in the array can technically have a different function. I don't know why I allowed that, and may refactor it out in the future. For now, I strongly recommend setting the function to the same for every element.

The function that's called has to have the prototype:

func(location, <args>)
where "location" is the standard HEAD/BODY/ALL location used throughout the functions.

Parameters

array
An array of tables. Each table contains 'func', a pointer to the marshalling function and 'args', the arguments to pass to the marshalling function after the 'location' variable.

Return value:

A string representing the marshalled data.
marshall_ascii (str, max_length)

Marshall a null-terminated ascii string, with the length/maxlength prepended. Very similar to marshall_unicode, except it's ascii and the null terminator is always used.

Parameters

str
The string to marshall.
max_length
[optional] The maximum length; default: actual length.
marshall_ascii_ptr (str, max_length)

Marshall a pointer to an ascii string.

Parameters

str
The string to insert. Can be nil.
max_length
[optional] Sets a max length that's different than the string's length.

Return value:

A string representing the marshalled data.
marshall_atsvc_DaysOfMonth (flags)

Marshall a atsvc_DaysOfMonth. This datatype is tied to the table above with that name.

Parameters

flags
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
marshall_atsvc_DaysOfWeek (flags)

Marshall a atsvc_DaysOfWeek. This datatype is tied to the table above with that name.

Parameters

flags
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
marshall_atsvc_Flags (flags)

Marshall a atsvc_Flags. This datatype is tied to the table above with that name.

Parameters

flags
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
marshall_atsvc_JobInfo (command, time)

Marshall a JobInfo struct.

The structure is as follows:

   typedef struct {
       uint32 job_time;
       atsvc_DaysOfMonth days_of_month;
       atsvc_DaysOfWeek days_of_week;
       atsvc_Flags flags;
       [string,charset(UTF16)] uint16 *command;
   } atsvc_JobInfo;

Parameters

command
The command to run. This has to be just the command, no parameters; if a program requires parameters, then the best way to run it is through a batch file.
time
The time at which to run the job, in milliseconds from midnight.
marshall_dom_sid2 (sid)

Marshall a dom_sid struct

   typedef [public,gensize,noprint,noejs,nosize] struct {
       uint8  sid_rev_num;             /**< SID revision number */
       [range(0,15)] int8  num_auths;  /**< Number of sub-authorities */
       uint8  id_auth[6];              /**< Identifier Authority */
       uint32 sub_auths[num_auths];
   } dom_sid;

Parameters

sid
 

Return value:

A string representing the marshalled data.
marshall_int16 (int16, pad)

Marshall an int16

[in] uint16 var

This is simply an integer inserted into the buffer, nothing fancy.

Parameters

int16
The integer to insert
pad
[optional] If set, will align the insert on 4-byte boundaries. Default: true.

Return value:

A string representing the marshalled data.
marshall_int16_ptr (int16, pad)

Marshall a pointer to an int16

[in,out] uint16 *ptr

If the pointer is null, it simply marshalls the integer '0'. Otherwise, it uses a referent id followed by the integer.

Parameters

int16
The value of the integer pointer
pad
[optional] If set, will align the insert on 4-byte boundaries. Default: true.

Return value:

A string representing the marshalled data.
marshall_int32 (int32)

Marshall an int32

[in] uint32 var

This is simply an integer inserted into the buffer, nothing fancy.

Parameters

int32
The integer to insert

Return value:

A string representing the marshalled data.
marshall_int32_array (data)

Marshall an array of int32 values.

Parameters

data
The array

Return value:

A string representing the marshalled data
marshall_int32_ptr (int32)

Marshall a pointer to an int32

[in,out] uint32 *ptr

If the pointer is null, it simply marshalls the integer '0'. Otherwise, it uses a referent id followed by the integer.

Parameters

int32
The value of the integer pointer

Return value:

A string representing the marshalled data.
marshall_int64 (int64)

Marshall an int64. This is simply an 8-byte integer inserted into the buffer, nothing fancy.

Parameters

int64
The integer to insert

Return value:

A string representing the marshalled data.
marshall_int64_ptr (int64)

Marshall a pointer to an int64.

If the pointer is null, it simply marshalls the integer '0'. Otherwise, it uses a referent id followed by the integer.

Parameters

int64
The value of the integer pointer

Return value:

A string representing the marshalled data.
marshall_int8 (int8, pad)

Marshall an int8

[in] uint8 var

This is simply an integer inserted into the buffer, nothing fancy.

Parameters

int8
The integer to insert
pad
[optional] If set, will align the insert on 4-byte boundaries. Default: true.

Return value:

A string representing the marshalled data.
marshall_int8_array (data, max_length)

Marshall an array of int8s, with an optional max_length set.

Parameters

data
The array to marshall, as a string. Cannot be nil.
max_length
[optional] The maximum length of the buffer. Default: the length of data.

Return value:

A string representing the marshalled data.
marshall_int8_array_ptr (data, max_length)

Marshall a pointer to an array of int8s.

Parameters

data
The array to marshall, as a string. Can be nil.
max_length
[optional] The maximum length of the buffer. Default: the length of data.

Return value:

A string representing the marshalled data.
marshall_int8_ptr (int8, pad)

Marshall a pointer to an int8

[in,out] uint8 *ptr

If the pointer is null, it simply marshalls the integer '0'. Otherwise, it uses a referent id followed by the integer.

Parameters

int8
The value of the integer pointer
pad
[optional] If set, will align the insert on 4-byte boundaries. Default: true.

Return value:

A string representing the marshalled data.
marshall_lsa_LookupNamesLevel (names_level)

Marshall a lsa_LookupNamesLevel. This datatype is tied to the table above with that name.

Parameters

names_level
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
marshall_lsa_ObjectAttribute ()

Marshall a lsa_ObjectAttribute struct

   typedef struct {
       uint32 len; /* ignored */
       uint8 *root_dir;
       [string,charset(UTF16)] uint16 *object_name;
       uint32 attributes;
       security_descriptor *sec_desc;
       lsa_QosInfo *sec_qos;
   } lsa_ObjectAttribute;

I didn't bother letting the user specify values, since I don't know what any of them do. The defaults seem to work really well.

Return value:

A string representing the marshalled data.
marshall_lsa_QosInfo ()

Marshall a lsa_QosInfo struct

   typedef struct {
       uint32  len; /* ignored */
       uint16  impersonation_level;
       uint8   context_mode;
       uint8   effective_only;
   } lsa_QosInfo;

I didn't bother letting the user specify values, since I don't know what any of them do. The defaults seem to work really well.

Return value:

A string representing the marshalled data.
marshall_lsa_SidArray (sids)

Marshall a lsa_SidArray struct

   typedef [public] struct {
       [range(0,1000)] uint32 num_sids;
       [size_is(num_sids)] lsa_SidPtr *sids;
   } lsa_SidArray;

Parameters

sids
The array of SIDs to marshall (as strings).

Return value:

A string representing the marshalled data.
marshall_lsa_SidType (sid_type)

Marshall a lsa_SidType. This datatype is tied to the table above with that name.

Parameters

sid_type
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
marshall_lsa_String (str, max_length)

Public version of marshall_lsa_String_internal -- see that function on that for more information. This version doesn't require a location, so it's suitable to be a public function.

Parameters

str
The string to marshall
max_length
[optional] The maximum size of the buffer, in characters, including the null terminator. Defaults to the length of the string, including the null.

Return value:

A string representing the marshalled data.
marshall_lsa_String_array (strings)

Marshall an array of lsa_String objects. This is a perfect demonstration of how to use marshall_array.

Parameters

strings
The array of strings to marshall

Return value:

A string representing the marshalled data.
marshall_lsa_String_array2 (strings)

Basically the same as marshall_lsa_String_array, except it has a different structure

Parameters

strings
The array of strings to marshall
marshall_lsa_TransNameArray2 (names)

Marshall a lsa_TransNameArray2 struct

   typedef struct {
       [range(0,1000)] uint32 count;
       [size_is(count)] lsa_TranslatedName2 *names;
   } lsa_TransNameArray2;

Parameters

names
An array of names to translate.

Return value:

A string representing the marshalled data.
marshall_lsa_TransSidArray2 (sids)

Marshall a lsa_TransSidArray2 struct

   typedef struct {
       [range(0,1000)] uint32 count;
       [size_is(count)] lsa_TranslatedSid2 *sids;
   } lsa_TransSidArray2;

Parameters

sids
An array of SIDs to translate (as strings)

Return value:

A string representing the marshalled data.
marshall_NTTIME (time)

Marshalls an NTTIME.

This is sent as the number of 1/10 microseconds since 1601; however the internal representation is the number of seconds since 1970. Because doing conversions in code is annoying, the user will never have to understand anything besides seconds since 1970.

Parameters

time
The time, in seconds since 1970.

Return value:

A string representing the marshalled data.
marshall_NTTIME_ptr (time)

Marshalls an NTTIME*.

Parameters

time
The time, in seconds since 1970.

Return value:

A string representing the marshalled data.
marshall_policy_handle (policy_handle)

Marshalls a policy_handle, which looks like this:

 typedef struct {
   uint32 handle_type;
   GUID   uuid;
 } policy_handle;

Parameters

policy_handle
The policy_handle to marshall.

Return value:

A string representing the marshalled data.
marshall_samr_AcctFlags (flags)

Marshall a samr_AcctFlags. This datatype is tied to the table above with that name.

Parameters

flags
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
marshall_samr_ConnectAccessMask (accessmask)

Marshall a samr_ConnectAccessMask. This datatype is tied to the table above with that name.

Parameters

accessmask
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
marshall_samr_DomainAccessMask (accessmask)

Marshall a samr_DomainAccessMask. This datatype is tied to the table above with that name.

Parameters

accessmask
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
marshall_samr_PasswordProperties (properties)

Marshall a samr_PasswordProperties. This datatype is tied to the table above with that name.

Parameters

properties
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
marshall_srvsvc_NetSessCtr (level, data)

Marshall the top-level NetShareCtr. This is a union of a bunch of different containers:

   typedef union {
       [case(0)] srvsvc_NetSessCtr0 *ctr0;
       [case(1)] srvsvc_NetSessCtr1 *ctr1;
       [case(2)] srvsvc_NetSessCtr2 *ctr2;
       [case(10)] srvsvc_NetSessCtr10 *ctr10;
       [case(502)] srvsvc_NetSessCtr502 *ctr502;
       [default] ;
   } srvsvc_NetSessCtr;

Not all of them are implemented, however; look at the code to see which are implemented (at the time of this writing, it's just 10).

Parameters

level
The level to request. Different levels will return different results, but also require different access levels to call.
data
The data to populate the array with. Depending on the level, this data will be different.

Return value:

A string representing the marshalled data.
marshall_srvsvc_NetSessCtr10 (NetSessCtr10)

Marshall a NetSessCtr (session container) type 10.

It is a simple array with the following definition:

   typedef struct {
       uint32 count;
       [size_is(count)] srvsvc_NetSessInfo10 *array;
   } srvsvc_NetSessCtr10;

Parameters

NetSessCtr10
A table representing the structure.

Return value:

A string representing the marshalled data.
marshall_srvsvc_NetShareCtr (level, data)

Marshall the top-level NetShareCtr. This is a union of a bunch of different containers:

   typedef union {
       [case(0)] srvsvc_NetShareCtr0 *ctr0;
       [case(1)] srvsvc_NetShareCtr1 *ctr1;
       [case(2)] srvsvc_NetShareCtr2 *ctr2;
       [case(501)] srvsvc_NetShareCtr501 *ctr501;
       [case(502)] srvsvc_NetShareCtr502 *ctr502;
       [case(1004)] srvsvc_NetShareCtr1004 *ctr1004;
       [case(1005)] srvsvc_NetShareCtr1005 *ctr1005;
       [case(1006)] srvsvc_NetShareCtr1006 *ctr1006;
       [case(1007)] srvsvc_NetShareCtr1007 *ctr1007;
       [case(1501)] srvsvc_NetShareCtr1501 *ctr1501;
       [default] ;
   } srvsvc_NetShareCtr;

Not all of them are implemented, however; look at the code to see which are implemented (at the time of this writing, it's 0, 1, and 2).

Parameters

level
The level to request. Different levels will return different results, but also require different access levels to call.
data
The data to populate the array with. Depending on the level, this data will be different. For level 0, you'll probably want a table containing array=nil.

Return value:

A string representing the marshalled data, or 'nil' if it couldn't be marshalled.
marshall_srvsvc_NetShareCtr0 (NetShareCtr0)

Marshall a NetShareCtr (container) type 0.

It is a simple array with the following definition:

    typedef struct {
       uint32 count;
       [size_is(count)] srvsvc_NetShareInfo0 *array;
   } srvsvc_NetShareCtr0;

Parameters

NetShareCtr0
A table representing the structure.

Return value:

A string representing the marshalled data.
marshall_srvsvc_NetShareCtr1 (NetShareCtr1)

Marshall a NetShareCtr (container) type 1.

It is a simple array with the following definition:

   typedef struct {
       uint32 count;
       [size_is(count)] srvsvc_NetShareInfo1 *array;
   } srvsvc_NetShareCtr1;

Parameters

NetShareCtr1
A table representing the structure.

Return value:

A string representing the marshalled data.
marshall_srvsvc_NetShareCtr2 (NetShareCtr2)

Marshall a NetShareCtr (container) type 2.

It is a simple array with the following definition:

   typedef struct {
       uint32 count;
       [size_is(count)] srvsvc_NetShareInfo2 *array;
   } srvsvc_NetShareCtr2;

Parameters

NetShareCtr2
A pointer to the structure.

Return value:

A string representing the marshalled data.
marshall_srvsvc_ShareType (sharetype)

Marshall a srvsvc_ShareType. This datatype is tied to the table above with that name.

Parameters

sharetype
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
marshall_svcctl_ControlCode (flags)

Marshall a svcctl_ControlCode. This datatype is tied to the table above with that name.

Parameters

flags
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
marshall_svcctl_State (flags)

Marshall a svcctl_State. This datatype is tied to the table above with that name.

Parameters

flags
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
marshall_svcctl_Type (flags)

Marshall a svcctl_Type. This datatype is tied to the table above with that name.

Parameters

flags
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
marshall_unicode (str, do_null, max_length)

Marshall a string that is in the format: [string,charset(UTF16)] uint16 *str

This has the max size of the buffer, the offset (I'm not sure what the offset does, I've never seen it used), the actual size, and the string itself. This will always align to the 4-byte boundary.

Parameters

str
The string to insert. Cannot be nil.
do_null
[optional] Appends a null to the end of the string. Default false.
max_length
[optional] Sets a max length that's different than the string's length. Length is in characters, not bytes.

Return value:

A string representing the marshalled data.
marshall_unicode_array (strings, do_null)

Marshall an array of unicode strings. This is a perfect demonstration of how to use marshall_array.

Parameters

strings
The array of strings to marshall
do_null
[optional] Appends a null to the end of the string. Default false.

Return value:

A string representing the marshalled data.
marshall_unicode_array_ptr (strings, do_null)

Marshall a pointer to an array of unicode strings. See marshall_unicode_array for more information.

Parameters

strings
The array of strings to marshall
do_null
[optional] Appends a null to the end of the string. Default false.

Return value:

A string representing the marshalled data.
marshall_unicode_ptr (str, do_null, max_length)

Marshall a pointer to a unicode string.

Parameters

str
The string to insert. Can be nil.
do_null
[optional] Appends a null to the end of the string. Default false.
max_length
[optional] Sets a max length that's different than the string's length. Length is in characters, not bytes.

Return value:

A string representing the marshalled data.
marshall_winreg_AccessMask (accessmask)

Marshall a winreg_AccessMask.

Parameters

accessmask
The access mask as a string (see the winreg_AccessMask table)

Return value:

A string representing the marshalled data.
marshall_winreg_String (table, max_length)

A winreg_String has the same makeup as a winreg_StringBuf, as far as I can tell, so delegate to that function.

Parameters

table
The table representing the String.
max_length
[optional] The maximum size of the buffer, in characters. Defaults to the length of the string, including the null.

Return value:

A string representing the marshalled data.
marshall_winreg_StringBuf (table, max_length)

A winreg_stringbuf is a buffer that holds a null-terminated string. It can have a max size that's different from its actual size.

This is the format:

 typedef struct {
   [value(strlen_m_term(name)*2)] uint16 length;
   uint16 size;
   [size_is(size/2),length_is(length/2),charset(UTF16)] uint16 *name;
 } winreg_StringBuf;

Parameters

table
The table to marshall. Will probably contain just the 'name' entry.
max_length
[optional] The maximum size of the buffer, in characters, including the null terminator. Defaults to the length of the string, including the null.

Return value:

A string representing the marshalled data.
marshall_winreg_StringBuf_ptr (table, max_length)

Marshall a winreg_StringBuffer pointer. Same as marshall_winreg_StringBuf, except the string can be nil.

Parameters

table
The table representing the String.
max_length
[optional] The maximum size of the buffer, in characters. Defaults to the length of the string, including the null.

Return value:

A string representing the marshalled data.
marshall_winreg_Type (winregtype)

Marshall a winreg_Type. This datatype is tied to the table above with that name.

Parameters

winregtype
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
marshall_winreg_Type_ptr (winreg_type)

Marshall a pointer to a winreg_Type. This datatype is tied to the table above with that name.

Parameters

winreg_type
The value to marshall, as a string

Return value:

The marshalled integer representing the given value, or nil if it wasn't found.
samr_AcctFlags_tostr (val)

Convert a samr_AcctFlags value to a string that can be shown to the user. This is based on the _str table.

Parameters

val
The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.
samr_ConnectAccessMask_tostr (val)

Convert a samr_ConnectAccessMask value to a string that can be shown to the user. This is based on the _str table.

Parameters

val
The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.
samr_DomainAccessMask_tostr (val)

Convert a samr_DomainAccessMask value to a string that can be shown to the user. This is based on the _str table.

Parameters

val
The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.
samr_PasswordProperties_tostr (val)

Convert a samr_PasswordProperties value to a string that can be shown to the user. This is based on the _str table.

Parameters

val
The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.
srvsvc_ShareType_tostr (val)

Convert a srvsvc_ShareType value to a string that can be shown to the user. This is based on the _str table.

Parameters

val
The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.
string_to_unicode (string, do_null)

Convert a string to Unicode (UTF-16 LE), optionally add a null terminator, and align it to 4-byte boundaries.

This is frequently used in MSRPC calls, so I put it here, but it might be a good idea to move this function (and the converse one below) into a separate library.

Parameters

string
The string to convert.
do_null
[optional] Add a null-terminator to the unicode string. Default false.

Return value:

The unicode version of the string.
svcctl_ControlCode_tostr (val)

Convert a svcctl_ControlCode value to a string that can be shown to the user. This is based on the _str table.

Parameters

val
The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.
unicode_to_string (buffer, pos, length, do_null)

Read a unicode string from a buffer, optionally eat the null terminator, and optionally align it to 4-byte boundaries.

Parameters

buffer
The buffer to read from, typically the full 'arguments' value for MSRPC
pos
The position in the buffer to start
length
The number of ascii characters that will be read (including the null, if do_null is set).
do_null
[optional] Remove a null terminator from the string as the last character. Default false.

Return values:

  1. pos The new position
  2. string The string read. If there was an attempt to read off the end of the string, then 'nil' is returned for both parameters.
unmarshall_dom_sid2 (data, pos)

Unmarshall a dom_sid struct

   typedef [public,gensize,noprint,noejs,nosize] struct {
       uint8  sid_rev_num;             /**< SID revision number */
       [range(0,15)] int8  num_auths;  /**< Number of sub-authorities */
       uint8  id_auth[6];              /**< Identifier Authority */
       uint32 sub_auths[num_auths];
   } dom_sid;

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_dom_sid2_ptr (data, pos)

Unmarshall a pointer to a dom_sid2 struct. See the unmarshall_dom_sid2 function for more information.

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_hyper (data, pos)

Unmarshalls a hyper.

I have no idea what a hyper is, just that it seems to be a 64-bit data type used for measuring time, and that the units happen to be negative microseconds. This function converts the value to seconds and returns it.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, val) The new position, and the result in seconds.
unmarshall_int16 (data, pos, pad)

Unmarshall an int16. See marshall_int16 for more information.

Parameters

data
The data packet.
pos
The position within the data.
pad
[optional] If set, will remove extra bytes to align the packet, Default: true

Return value:

(pos, int16) The new position, and the value.
unmarshall_int16_ptr (data, pos, pad)

Unmarshall a pointer to an int16. See marshall_int16_ptr for more information.

Parameters

data
The data packet.
pos
The position within the data.
pad
[optional] If set, will remove extra bytes to align the packet, Default: true

Return value:

(pos, int16) The new position, and the value.
unmarshall_int32 (data, pos)

Unmarshall an int32. See marshall_int32 for more information.

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, int32) The new position, and the value.
unmarshall_int32_array (data, pos, count)

Unmarshall an array of int32s.

Parameters

data
The data packet.
pos
The position within the data.
count
 

Return value:

(pos, str) The position, and the resulting string, which cannot be nil.
unmarshall_int32_array_ptr (data, pos)

Unmarshall a pointer to an array of int32s.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, str) The position, and the resulting string, which cannot be nil.
unmarshall_int32_ptr (data, pos)

Unmarshall a pointer to an int32. See marshall_int32_ptr for more information.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, int32) The new position, and the value.
unmarshall_int64 (data, pos)

Unmarshall an int64. See marshall_int64 for more information.

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, int64) The new position, and the value.
unmarshall_int8 (data, pos, pad)

Unmarshall an int8. See marshall_int8 for more information.

Parameters

data
The data packet.
pos
The position within the data.
pad
[optional] If set, will remove extra bytes to align the packet, Default: true

Return value:

(pos, int8) The new position, and the value.
unmarshall_int8_array (data, pos, pad)

Unmarshall an array of int8s.

Parameters

data
The data packet.
pos
The position within the data.
pad
[optional] If set to true, will align data on 4-byte boundaries. Default: true.

Return value:

(pos, str) The position, and the resulting string, which cannot be nil.
unmarshall_int8_array_ptr (data, pos, pad)

Unmarshall a pointer to an array of int8s. By default, aligns the result to 4-byte boundaries.

Parameters

data
The data packet.
pos
The position within the data.
pad
[optional] If set to true, will align data on 4-byte boundaries. Default: true.

Return value:

(pos, str) The position, and the resulting string, which cannot be nil.
unmarshall_int8_ptr (data, pos, pad)

Unmarshall a pointer to an int8. See marshall_int8_ptr for more information.

Parameters

data
The data packet.
pos
The position within the data.
pad
[optional] If set, will remove extra bytes to align the packet, Default: true

Return value:

(pos, int8) The new position, and the value.
unmarshall_lptstr (w_str, startpos)

Unmarshalls a null-terminated Unicode string (LPTSTR datatype)

Parameters

w_str
The data being processed
startpos
The current position within the data

Return values:

  1. The new position
  2. The unmarshalled string
unmarshall_lsa_LookupNamesLevel (data, pos)

Unmarshall a lsa_LookupNamesLevel. This datatype is tied to the table with that name.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.
unmarshall_lsa_RefDomainList (data, pos)

Unmarshall a lsa_RefDomainList struct

   typedef struct {
       [range(0,1000)] uint32 count;
       [size_is(count)] lsa_DomainInfo *domains;
       uint32 max_size;
   } lsa_RefDomainList;

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_lsa_RefDomainList_ptr (data, pos)

Unmarshall a pointer to a lsa_RefDomainList. See the unmarshall_lsa_RefDomainList function for more information.

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_lsa_SidArray (data, pos)

Unmarshall a lsa_SidArray struct

typedef [public] struct { [range(0,1000)] uint32 num_sids; [size_is(num_sids)] lsa_SidPtr *sids; } lsa_SidArray;

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_lsa_SidPtr (location, data, pos, result)

Unmarshall a lsa_SidPtr struct

   typedef struct {
       dom_sid2 *sid;
   } lsa_SidPtr;

Parameters

location
The part of the pointer wanted, either HEAD (for the data itself), BODY (for nothing, since this isn't a pointer), or ALL (for the data). Generally, unless the referent_id is split from the data (for example, in an array), you will want ALL.
data
The data being processed.
pos
The position within data.
result
This is required when unmarshalling the BODY section, which always comes after unmarshalling the HEAD. It is the result returned for this parameter during the HEAD unmarshall. If the referent_id was '0', then this function doesn't unmarshall anything.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_lsa_SidType (data, pos)

Unmarshall a lsa_SidType. This datatype is tied to the table with that name.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.
unmarshall_lsa_TransNameArray2 (data, pos)

Unmarshall a lsa_TransNameArray2 structure. See the marshall_lsa_TransNameArray2 for more information.

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_lsa_TransSidArray2 (data, pos)

Unmarshall a lsa_TransSidArray2 struct

   typedef struct {
       [range(0,1000)] uint32 count;
       [size_is(count)] lsa_TranslatedSid2 *sids;
   } lsa_TransSidArray2;

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_NTTIME (data, pos)

Unmarshalls an NTTIME. See marshall_NTTIME for more information.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, time) The new position, and the time in seconds since 1970.
unmarshall_NTTIME_ptr (data, pos)

Unmarshalls an NTTIME*.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, time) The new position, and the time in seconds since 1970.
unmarshall_policy_handle (data, pos)

Unmarshalls a policy_handle. See marshall_policy_handle for the structure.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_raw (data, pos, length)

Unmarshall raw data.

Parameters

data
The data packet.
pos
The position within the data.
length
The number of bytes to unmarshall.

Return value:

(pos, data) The new position in the packet, and a string representing the raw data.
unmarshall_samr_AcctFlags (data, pos)

Unmarshall a samr_AcctFlags. This datatype is tied to the table with that name.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.
unmarshall_samr_ConnectAccessMask (data, pos)

Unmarshall a samr_ConnectAccessMask. This datatype is tied to the table with that name.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_samr_DispInfo (data, pos)

Unmarshall a samr_DispInfo struct

   typedef [switch_type(uint16)] union {
       [case(1)] samr_DispInfoGeneral info1;/* users */
       [case(2)] samr_DispInfoFull info2; /* trust accounts? */
       [case(3)] samr_DispInfoFullGroups info3; /* groups */
       [case(4)] samr_DispInfoAscii info4; /* users */
       [case(5)] samr_DispInfoAscii info5; /* groups */
   } samr_DispInfo;

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype. It may also return nil, if there was an error.
unmarshall_samr_DispInfoGeneral (data, pos)

Unmarshall a samr_DispInfoGeneral struct

   typedef struct {
       uint32 count;
       [size_is(count)] samr_DispEntryGeneral *entries;
   } samr_DispInfoGeneral;

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_samr_DomainAccessMask (data, pos)

Unmarshall a samr_DomainAccessMask. This datatype is tied to the table with that name.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_samr_DomainInfo (data, pos)

Unmarshall a samr_DomainInfo union

 typedef [switch_type(uint16)] union {
   [case(1)] samr_DomInfo1 info1;
   [case(2)] samr_DomInfo2 info2;
   [case(3)] samr_DomInfo3 info3;
   [case(4)] samr_DomInfo4 info4;
   [case(5)] samr_DomInfo5 info5;
   [case(6)] samr_DomInfo6 info6;
   [case(7)] samr_DomInfo7 info7;
   [case(8)] samr_DomInfo8 info8;
   [case(9)] samr_DomInfo9 info9;
   [case(11)] samr_DomInfo11 info11;
   [case(12)] samr_DomInfo12 info12;
   [case(13)] samr_DomInfo13 info13;
 } samr_DomainInfo;

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype. May return nil if there was an error.
unmarshall_samr_DomainInfo_ptr (data, pos)

Unmarshall a pointer to a samr_DomainInfo. See unmarshall_samr_DomainInfo for more information.

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype. May return nil if there was an error.
unmarshall_samr_DomInfo1 (data, pos)

Unmarshall a samr_DomInfo1 struct

 typedef struct {
   uint16 min_password_length;
   uint16 password_history_length;
   samr_PasswordProperties password_properties;
   /* yes, these are signed. They are in negative 100ns */
   dlong  max_password_age;
   dlong  min_password_age;
 } samr_DomInfo1;

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_samr_DomInfo12 (data, pos)

Unmarshall a samr_DomInfo12 struct

 typedef struct {
   hyper lockout_duration;
   hyper lockout_window;
   uint16 lockout_threshold;
 } samr_DomInfo12;

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_samr_DomInfo8 (data, pos)

Unmarshall a samr_DomInfo8 struct

 typedef struct {
   hyper sequence_num;
   NTTIME domain_create_time;
 } samr_DomInfo8;

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_samr_Ids (data, pos)

Unmarshall a samr_Ids struct

   typedef struct {
       [range(0,1024)]  uint32 count;
       [size_is(count)] uint32 *ids;
   } samr_Ids;

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype. May return nil if there was an error.
unmarshall_samr_PasswordProperties (data, pos)

Unmarshall a samr_PasswordProperties. This datatype is tied to the table with that name.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.
unmarshall_samr_SamArray (data, pos)

Unmarshall a samr_SamArray struct

   typedef struct {
       uint32 count;
       [size_is(count)] samr_SamEntry *entries;
   } samr_SamArray;

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_samr_SamArray_ptr (data, pos)

Unmarshall a pointer to a samr_SamArray type. See unmarshall_samr_SamArray for more information.

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_SERVICE_STATUS (data, pos)

Unmarshall a SERVICE_STATUS struct, converting it to a table.

The structure is as follows:

   typedef struct {
       uint32 type;
       uint32 state;
       uint32 controls_accepted;
       WERROR win32_exit_code;
       uint32 service_exit_code;
       uint32 check_point;
       uint32 wait_hint;
   } SERVICE_STATUS;

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, table) The new position, and the table of values.
unmarshall_srvsvc_NetSessCtr (data, pos)

Unmarshall the top-level NetShareCtr. This is a union; see the marshall function for more information.

Parameters

data
The data being processed.
pos
The position within data

Return value:

(pos, result) The new position in data, and a table representing the datatype. Can be nil if there's an error.
unmarshall_srvsvc_NetSessCtr10 (data, pos)

Unmarshall a NetSessCtr (session container) type 10. See the marshall function for the definition.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_srvsvc_NetShareCtr (data, pos)

Unmarshall the top-level NetShareCtr. This is a union of a bunch of containers, see the equivalent marshall function for more information; at the time of this writing I've only implemented level = 0.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, result) The new position in data, and a table representing the datatype. The result may be nil if there's an error.
unmarshall_srvsvc_NetShareCtr0 (data, pos)

Unmarshall a NetShareCtr (container) type 0. See the marshall function for the definition.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_srvsvc_NetShareInfo (data, pos)

Unmarshall the top-level NetShareInfo. This is a union of a bunch of different structs:

   typedef union {
       [case(0)] srvsvc_NetShareInfo0 *info0;
       [case(1)] srvsvc_NetShareInfo1 *info1;
       [case(2)] srvsvc_NetShareInfo2 *info2;
       [case(501)] srvsvc_NetShareInfo501 *info501;
       [case(502)] srvsvc_NetShareInfo502 *info502;
       [case(1004)] srvsvc_NetShareInfo1004 *info1004;
       [case(1005)] srvsvc_NetShareInfo1005 *info1005;
       [case(1006)] srvsvc_NetShareInfo1006 *info1006;
       [case(1007)] srvsvc_NetShareInfo1007 *info1007;
       [case(1501)] sec_desc_buf *info1501;
       [default] ;
   } srvsvc_NetShareInfo;

Not all of them are implemented, however; look at the code to see which are implemented (at the time of this writing, it's 0, 1, and 2).

Parameters

data
The data being processed.
pos
The position within data.

Return value:

(pos, result) The new position in data, and a table representing the datatype. This may be nil if there was an error.
unmarshall_srvsvc_ShareType (data, pos)

Unmarshall a srvsvc_ShareType. This datatype is tied to the table with that name.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.
unmarshall_srvsvc_Statistics (data, pos)

Unmarshall a srvsvc_Statistics packet. This is basically a great big struct:

   typedef struct {
       uint32 start;
       uint32 fopens;
       uint32 devopens;
       uint32 jobsqueued;
       uint32 sopens;
       uint32 stimeouts;
       uint32 serrorout;
       uint32 pwerrors;
       uint32 permerrors;
       uint32 syserrors;
       uint32 bytessent_low;
       uint32 bytessent_high;
       uint32 bytesrcvd_low;
       uint32 bytesrcvd_high;
       uint32 avresponse;
       uint32 reqbufneed;
       uint32 bigbufneed;
   } srvsvc_Statistics;

Note that Wireshark (at least, the version I'm using, 1.0.3) gets this wrong, so be careful.

Parameters

data
The data being processed.
pos
The position within data

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_srvsvc_Statistics_ptr (data, pos)

Unmarshalls a srvsvc_Statistics as a pointer. Wireshark fails to do this, and ends up parsing the packet wrong, so take care when packetlogging.

See unmarshall_srvsvc_Statistics for more information.

Parameters

data
The data being processed.
pos
The position within data

Return value:

(pos, result) The new position in data, and a table representing the datatype.
unmarshall_svcctl_ControlCode (data, pos)

Unmarshall a svcctl_ControlCode. This datatype is tied to the table with that name.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.
unmarshall_svcctl_State (data, pos)

Unmarshall a svcctl_State. This datatype is tied to the table with that name.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.
unmarshall_svcctl_Type (data, pos)

Unmarshall a svcctl_Type. This datatype is tied to the table with that name.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.
unmarshall_SYSTEMTIME (data, pos)

Unmarshall a SYSTEMTIME structure, converting it to a standard representation.

The structure is as follows:

  typedef struct _SYSTEMTIME {
    WORD wYear;
    WORD wMonth;
    WORD wDayOfWeek;
    WORD wDay;
    WORD wHour;
    WORD wMinute;
    WORD wSecond;
    WORD wMilliseconds;
  } SYSTEMTIME

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, time) The new position, and the time in seconds since 1970.
unmarshall_unicode (data, pos, do_null)

Unmarshall a string that is in the format: [string,charset(UTF16)] uint16 *str

See marshall_unicode for more information.

Parameters

data
The data buffer.
pos
The position in the data buffer.
do_null
[optional] Discards the final character, the string terminator. Default false.

Return value:

(pos, str) The new position, and the string. The string may be nil.
unmarshall_unicode_ptr (data, pos, do_null)

Unmarshall a pointer to a unicode string.

Parameters

data
The data being processed.
pos
The position within data.
do_null
[optional] Assumes a null is at the end of the string. Default false.

Return value:

(pos, result) The new position and the string.
unmarshall_winreg_AccessMask (data, pos)

Unmarshall a winreg_AccessMask. This datatype is tied to the table with that name.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.
unmarshall_winreg_String (data, pos)

Unmarshall a winreg_String. Since it has the same makeup as winreg_StringBuf, delegate to that.

Parameters

data
The data buffer.
pos
The position in the data buffer.

Return value:

(pos, str) The new position and the string.
unmarshall_winreg_StringBuf (data, pos)

Unmarshall a winreg_StringBuf buffer.

Parameters

data
The data buffer.
pos
The position in the data buffer.

Return value:

(pos, str) The new position and the string.
unmarshall_winreg_StringBuf_ptr (data, pos)

Unmarshall a winreg_StringBuffer pointer

Parameters

data
The data buffer.
pos
The position in the data buffer.

Return value:

(pos, str) The new position and the string.
unmarshall_winreg_Type (data, pos)

Unmarshall a winreg_Type. This datatype is tied to the table with that name.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.
unmarshall_winreg_Type_ptr (data, pos)

Unmarshall a pointer to a winreg_Type. This datatype is tied to the table with that name.

Parameters

data
The data packet.
pos
The position within the data.

Return value:

(pos, str) The new position, and the string representing the datatype.
winreg_AccessMask_tostr (val)

Convert a winreg_AccessMask value to a string that can be shown to the user. This is based on the _str table.

Parameters

val
The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.
winreg_Type_tostr (val)

Convert a winreg_Type value to a string that can be shown to the user. This is based on the _str table.

Parameters

val
The string value (returned by the unmarshall_ function) to convert.

Return value:

A string suitable for displaying to the user, or nil if it wasn't found.