dcerpc_winreg_QueryValue

Michael B Allen mba2000 at ioplex.com
Thu Dec 2 05:21:09 GMT 2004 

On Wed, 1 Dec 2004 23:08:47 -0500
"Karl Melcher" <karl at melch.net> wrote:

> Michael,
> 
> I have attached the Ethereal capture and the test program that generated
> the traffic.  The first call to QueryValue gets the size (30 bytes) and
> the 2nd gets the value.  The remote host is an incredibly old (486/66) NT4
> machine and the expected result is a IE version of 5.00.2314.1003 as seen
> in packet 26.
> 
> The correct data is there, but the decode of the data field is wrong.  I
> was looking at the IDL and the source for the dissector from Ethereal for
> the WinReg QueryValue and can see where it goes wrong, but don't yet know
> how to properly express the byte array and size in the IDL.

Just from looking at the capture I think the below would probably work
although with all the unique pointers I have to wonder if maybe a bunch of
those params are actually just one structure. 

Also MIDL syntax is quite a bit different from PIDL syntax. You'll have to
translate to use it with smbcli.

It would also be best to work from a capture of a Windows client because if
the current smbcli IDL isn't right the request could be messed up from the
start in which case you really don't know what you're looking at. If you can
produce such a capture [1] send it to me and I'll verify minimal winreg
calls in Java and then post the MIDL so the Samba guys can update their
stuff.

Mike

typedef struct {
    uint16_t length; 
    uint16_t maximum_length;
    [length_is(length / 2),size_is(maximum_length / 2)] uint16_t *buffer;
} unicode_string;

/* [op(17)] */
int
WinRegQueryValue([in] policy_handle *handle, /* standard policy handle */
    [in] unicode_string *value_name,
    [in,unique] int *reserved,
    [in,unique] int *offered,
    [in,out,unique] int *unknown1,
    [in,out,unique] int *unknown2,
    [out,unique] int *type,
    [out,unique,size_is(*retruned),length_is(*returned)] unsigned char
*data,
    [in,out,unique] int *offered,
    [in,out,unique] int *returned); /* what does "offered" and "returned"
mean? */

[1] Just capture regedit operating on a remote machine. Create a key and set
a value so the capture has a couple ops I can do..

-- 
Greedo shoots first? Not in my Star Wars.

More information about the samba-technical mailing list