Wireshark-dev: Re: [Wireshark-dev] [openchange][devel] Parsing array and its size in EcDoRpcExt

From: Julien Kerihuel <j.kerihuel@xxxxxxxxxxxxxx>
Date: Tue, 28 Apr 2009 16:46:16 +0200
On Tue, 2009-04-28 at 11:16 +0200, Julien Kerihuel wrote:     
> Conclusion:
>         1. I plan to implement this similarly to what was done for
>         EcDoRpc:
>                 - Try to write as much EcDoRpcExt2 related structures as
>                 possible, tag them as public and use NDR_NOALIGN
>         2. Only write manually the mapi2k3_rgbIn pull/push/print
>         functions and rely as much as possible on generated/existing
>         IDL.

Hi All,

I've made some progress since this morning:

        - I support either XorMagic or Compressed rgbIn
        
        - The blob is dumped properly with mapi_request
        
I can't actually use the compression() keyword in pidl and have instead
been:
        - adding the [public,nopull] keywords to the mapi2k7_request
        structure + wrote a custom implementation
        - cloning the existing ndr_pull_compression_xpress_start/
        ndr_pull_compression_xpress_chunk and modified them to match the
        expected behavior.
        
Preliminary pointers while this cloning is required at the moment:
        - the decomp routine is using some extra parameters we do not
        have in the compressed MAPI blob.
        - there is a header problem when using compression (it looks for
        ndr/compression.h header file, which isn't installed)
        

The following is a list of what remains:
        - "chained calls" behavior/code needs to be implemented
        
        - The current behavior is only implemented for request and need
        to be extended to response
        
        - I am currently working on adding the implementation for the
        AUX_HEADER structure we have in rgbAuxIn and rgbAuxOut buffer
        
        - We need either to extract the original obfuscate_data call
        from ndr_{pull,push}_mapi_request code to an upper layer or
        factorize the code with a custom parameter.
        
I have attached 2 sample ndrdump output for EcDoRpcExt2:
        - one demonstrating the dump of a compressed request
        - the other showing the dump of a xormagic request

Cheers,
Julien

---
Julien Kerihuel
j.kerihuel@xxxxxxxxxxxxxx
OpenChange Project Manager

GPG Fingerprint: 0B55 783D A781 6329 108A  B609 7EF6 FE11 A35F 1F79


jkerihuel@cerebrox:/tmp/sample_capture$ ndrdump -l libmapi.so exchange_emsmdb 0xb in 10_in_Mapi_EcDoRpc --dump-data -d10
lp_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
Processing section "[globals]"
pm_process() returned Yes
adding hidden service IPC$
adding hidden service ADMIN$
pull returned NT_STATUS_OK
256 bytes consumed
[0000] 00 00 00 00 4C 8B 0E F2   38 1F E9 49 87 F0 1A CD   ....L... 8..I....
[0010] E1 84 41 B7 00 00 00 00   AF 00 00 00 00 00 05 00   ..A..... ........
[0020] A7 00 B6 00 09 08 00 00   AE 00 05 00 00 01 02 12   ........ ........
[0030] 00 01 00 04 00 14 00 48   67 14 00 4A 18 00 4D 67   .......H g..J..Mg
[0040] 03 00 4E 67 13 A8 00 01   00 01 00 00 04 40 02 40   ..Ng.... .....@.@
[0050] 00 08 30 01 18 64 00 00   4F 40 00 70 00 00 03 00   ..0..d.. [email protected]....
[0060] 04 04 1F 00 1A 00 19 00   49 00 50 00 4D 00 2E 00   ........ I.P.M...
[0070] 45 00 10 51 40 00 78 00   74 00 65 00 6E 00 64 28   [email protected]. t.e.n.d(
[0080] 00 64 00 52 00 75 00 6C   48 00 2E E8 00 65 00 73   .d.R.u.l H....e.s
[0090] 08 00 61 00 67 48 00 00   00 08 1F 00 2B 82 12 00   ..a.gH.. ....+...
[00A0] EC 65 01 02 EC 65 19 00   4A 40 01 6E 00 6B 00 20   .e...e.. [email protected]. 
[00B0] 10 02 2D 00 6D 30 01 69   C0 01 20 06 02 02 00 6C   ..-.m0.i .. ....l
[00C0] 00 00 00 FF FF FF FF FF   FF FF FF 00 AF 00 00 00   ........ ........
[00D0] 07 80 00 00 20 00 00 00   00 00 06 00 18 00 18 00   .... ... ........
[00E0] 08 00 01 01 01 00 07 00   10 00 01 0C 0F 00 00 00   ........ ........
[00F0] 0F 00 00 00 06 00 00 00   20 00 00 00 88 00 00 00   ........  .......
    0xb: struct EcDoConnectExt2
        in: struct EcDoConnectExt2
            handle                   : *
                handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : f20e8b4c-1f38-49e9-87f0-1acde18441b7
            pulFlags                 : *
                pulFlags                 : 0x00000000 (0)
                       0: pulFlags_NoCompression   
                       0: pulFlags_NoXorMagic      
                       0: pulFlags_Chain           
            rgbIn                    : *
                rgbIn: struct mapi2k7_request
                    header: struct RPC_HEADER_EXT
                        Version                  : 0x0000 (0)
                        Flags                    : 0x0005 (5)
                               1: RHEF_Compressed          
                               0: RHEF_XorMagic            
                               1: RHEF_Last                
                        Size                     : 0x00a7 (167)
                        SizeActual               : 0x00b6 (182)
                    mapi_request             : *
                        mapi_len                 : 0x000000b6 (182)
                        length                   : 0x00ae (174)
                            mapi_request: struct EcDoRpc_MAPI_REQ
                                opnum                    : 0x05 (5)
                                logon_id                 : 0x00 (0)
                                handle_idx               : 0x00 (0)
                                u                        : union EcDoRpc_MAPI_REQ_UNION(case 5)
                                mapi_GetContentsTable: struct GetContentsTable_req
                                    handle_idx               : 0x01 (1)
                                    TableFlags               : 0x02 (2)
                                           0: TableFlags_Depth         
                                           0: TableFlags_DeferredErrors
                                           0: TableFlags_NoNotifications
                                           0: TableFlags_SoftDeletes   
                                           0: TableFlags_UseUnicode    
                                           0: TableFlags_SuppressNotifications
                            mapi_request: struct EcDoRpc_MAPI_REQ
                                opnum                    : 0x12 (18)
                                logon_id                 : 0x00 (0)
                                handle_idx               : 0x01 (1)
                                u                        : union EcDoRpc_MAPI_REQ_UNION(case 18)
                                mapi_SetColumns: struct SetColumns_req
                                    SetColumnsFlags          : SetColumns_TBL_SYNC (0)
                                    prop_count               : 0x0004 (4)
                                    properties: ARRAY(4)
                                        properties               : PR_FID (0x67480014)
                                        properties               : PR_MID (0x674A0014)
                                        properties               : PR_INST_ID (0x674D0014)
                                        properties               : PR_INSTANCE_NUM (0x674E0003)
                            mapi_request: struct EcDoRpc_MAPI_REQ
                                opnum                    : 0x13 (19)
                                logon_id                 : 0x00 (0)
                                handle_idx               : 0x01 (1)
                                u                        : union EcDoRpc_MAPI_REQ_UNION(case 19)
                                mapi_SortTable: struct SortTable_req
                                    SortTableFlags           : 0x00 (0)
                                    lpSortCriteria: struct SSortOrderSet
                                        cSorts                   : 0x0001 (1)
                                        cCategories              : 0x0000 (0)
                                        cExpanded                : 0x0000 (0)
                                        aSort: ARRAY(1)
                                            aSort: struct SSortOrder
                                                ulPropTag                : PR_LAST_MODIFICATION_TIME (0x30080040)
                                                ulOrder                  : TABLE_SORT_COMBINE (0x1)
                            mapi_request: struct EcDoRpc_MAPI_REQ
                                opnum                    : 0x18 (24)
                                logon_id                 : 0x00 (0)
                                handle_idx               : 0x01 (1)
                                u                        : union EcDoRpc_MAPI_REQ_UNION(case 24)
                                mapi_SeekRow: struct SeekRow_req
                                    origin                   : BOOKMARK_BEGINNING (0)
                                    offset                   : 0
                                    WantRowMovedCount        : 0x00 (0)
                            mapi_request: struct EcDoRpc_MAPI_REQ
                                opnum                    : 0x4f (79)
                                logon_id                 : 0x00 (0)
                                handle_idx               : 0x01 (1)
                                u                        : union EcDoRpc_MAPI_REQ_UNION(case 79)
                                mapi_FindRow: struct FindRow_req
                                    ulFlags                  : DIR_FORWARD (0)
                                    res: struct mapi_SRestriction
                                        rt                       : 0x00 (0)
                                        res                      : union mapi_SRestriction_CTR(case 0)
                                        resAnd: struct mapi_SAndRestriction
                                            cRes                     : 0x0003 (3)
                                            res: ARRAY(3)
                                                res: struct mapi_SRestriction_and
                                                    rt                       : 0x04 (4)
                                                    res                      : union mapi_SRestriction_CTR(case 4)
                                                    resProperty: struct mapi_SPropertyRestriction
                                                        relop                    : 0x04 (4)
                                                        ulPropTag                : PR_MESSAGE_CLASS_UNICODE (0x1A001F)
                                                        lpProp: struct mapi_SPropValue
                                                            ulPropTag                : PR_MESSAGE_CLASS_UNICODE (0x1A001F)
                                                            value                    : union mapi_SPropValue_CTR(case 31)
                                                            lpszW                    : 'IPM.ExtendedRule.Message'
                                                res: struct mapi_SRestriction_and
                                                    rt                       : 0x08 (8)
                                                    res                      : union mapi_SRestriction_CTR(case 8)
                                                    resExist: struct mapi_SExistRestriction
                                                        ulPropTag                : PR_RULE_MSG_NAME_UNICODE (0x65EC001F)
                                                res: struct mapi_SRestriction_and
                                                    rt                       : 0x04 (4)
                                                    res                      : union mapi_SRestriction_CTR(case 4)
                                                    resProperty: struct mapi_SPropertyRestriction
                                                        relop                    : 0x04 (4)
                                                        ulPropTag                : PR_RULE_MSG_NAME_UNICODE (0x65EC001F)
                                                        lpProp: struct mapi_SPropValue
                                                            ulPropTag                : PR_RULE_MSG_NAME_UNICODE (0x65EC001F)
                                                            value                    : union mapi_SPropValue_CTR(case 31)
                                                            lpszW                    : 'Junk E-mail Rule'
                                    origin                   : BOOKMARK_BEGINNING (0)
                                    bookmark                 : SBinary_short cb=0
                            mapi_request             : (handles) number=2
                                handle                   : 0x0000006c (108)
                                handle                   : 0xffffffff (4294967295)
                cbIn                     : 0x000000af (175)
                pcbOut                   : *
                    pcbOut                   : 0x00008007 (32775)
                rgbAuxIn: struct mapi2k7_request2
                    header: struct RPC_HEADER_EXT
                        Version                  : 0x0000 (0)
                        Flags                    : 0x0006 (6)
                               0: RHEF_Compressed          
                               1: RHEF_XorMagic            
                               1: RHEF_Last                
                        Size                     : 0x0018 (24)
                        SizeActual               : 0x0018 (24)
                    buffer                   : DATA_BLOB length=24
[0000] 08 00 01 01 01 00 07 00   10 00 01 0C 0F 00 00 00   ........ ........
[0010] 0F 00 00 00 06 00 00 00                            ........ 
                cbAuxIn                  : 0x00000020 (32)
                pcbAuxOut                : *
                    pcbAuxOut                : 0x00000088 (136)
dump OK
jkerihuel@cerebrox:/tmp/sample_capture$ 
jkerihuel@cerebrox:/tmp/sample_capture$ ndrdump -l libmapi.so exchange_emsmdb 0xb in 11_in_Mapi_EcDoRpc --dump-data -d10
lp_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
Processing section "[globals]"
pm_process() returned Yes
adding hidden service IPC$
adding hidden service ADMIN$
pull returned NT_STATUS_OK
128 bytes consumed
[0000] 00 00 00 00 80 A6 D5 34   EA 4F F7 4C 85 E8 DC 70   .......4 .O.L...p
[0010] 5C D5 C8 2F 00 00 00 00   1F 00 00 00 00 00 06 00   \../.... ........
[0020] 17 00 17 00 13 00 07 00   00 00 00 00 00 02 00 1F   ........ ........
[0030] 00 1C 66 02 01 1B 66 37   00 00 00 A5 1F 00 00 00   ..f...f7 ........
[0040] 07 80 00 00 2E 00 00 00   00 00 05 00 26 00 30 00   ........ ....&.0.
[0050] 86 A7 A0 A5 AD A5 A4 A4   A4 A5 A6 A5 B5 A5 A4 A9   ........ ........
[0060] A5 A1 A5 A7 BD A5 BD A5   A7 AB A4 A5 AC A5 B4 A5   ........ ........
[0070] A2 60 A5 A5 A5 A5 00 00   2E 00 00 00 88 00 00 00   .`...... ........
    0xb: struct EcDoConnectExt2
        in: struct EcDoConnectExt2
            handle                   : *
                handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : 34d5a680-4fea-4cf7-85e8-dc705cd5c82f
            pulFlags                 : *
                pulFlags                 : 0x00000000 (0)
                       0: pulFlags_NoCompression   
                       0: pulFlags_NoXorMagic      
                       0: pulFlags_Chain           
            rgbIn                    : *
                rgbIn: struct mapi2k7_request
                    header: struct RPC_HEADER_EXT
                        Version                  : 0x0000 (0)
                        Flags                    : 0x0006 (6)
                               0: RHEF_Compressed          
                               1: RHEF_XorMagic            
                               1: RHEF_Last                
                        Size                     : 0x0017 (23)
                        SizeActual               : 0x0017 (23)
                    mapi_request             : *
                        mapi_len                 : 0x00000017 (23)
                        length                   : 0x0013 (19)
                            mapi_request: struct EcDoRpc_MAPI_REQ
                                opnum                    : 0x07 (7)
                                logon_id                 : 0x00 (0)
                                handle_idx               : 0x00 (0)
                                u                        : union EcDoRpc_MAPI_REQ_UNION(case 7)
                                mapi_GetProps: struct GetProps_req
                                    PropertySizeLimit        : 0x0000 (0)
                                    WantUnicode              : 0x0000 (0)
                                    prop_count               : 0x0002 (2)
                                    properties: ARRAY(2)
                                        properties               : PR_MAILBOX_OWNER_NAME_UNICODE (0x661C001F)
                                        properties               : PR_MAILBOX_OWNER_ENTRYID (0x661B0102)
                            mapi_request             : (handles) number=1
                                handle                   : 0x00000037 (55)
                cbIn                     : 0x0000001f (31)
                pcbOut                   : *
                    pcbOut                   : 0x00008007 (32775)
                rgbAuxIn: struct mapi2k7_request2
                    header: struct RPC_HEADER_EXT
                        Version                  : 0x0000 (0)
                        Flags                    : 0x0005 (5)
                               1: RHEF_Compressed          
                               0: RHEF_XorMagic            
                               1: RHEF_Last                
                        Size                     : 0x0026 (38)
                        SizeActual               : 0x0030 (48)
                    buffer                   : DATA_BLOB length=38
[0000] 86 A7 A0 A5 AD A5 A4 A4   A4 A5 A6 A5 B5 A5 A4 A9   ........ ........
[0010] A5 A1 A5 A7 BD A5 BD A5   A7 AB A4 A5 AC A5 B4 A5   ........ ........
[0020] A2 60 A5 A5 A5 A5                                 .`.... 
                cbAuxIn                  : 0x0000002e (46)
                pcbAuxOut                : *
                    pcbAuxOut                : 0x00000088 (136)
dump OK
jkerihuel@cerebrox:/tmp/sample_capture$ 

Attachment: signature.asc
Description: This is a digitally signed message part