psexec for samba4 and svcctl.idl
AH
andrzej.hajda at wp.pl
Fri Jun 30 23:19:09 GMT 2006
Hello
I am not a regular samba developer, but I wanted to have psexec
equivalent, so I wrote it, it works but still need some development.
I do not know if patches of such sizes (about 30k) are welcome on this
list so I've put it on web page, with some description:
http://eol.ovh.org/winexe/
Comments welcome.
I will describe what I have changed in svcctl.idl and my
observations/propositions to new types.
This patch do not make many changes in samba4 files, it just add one
subdir (with program) and modify 2 files.
In main.mk it adds line "+include winexe/config.mk" - nothing intersting.
The main changes are in librpc/idl/svcctl.idl, diff at the end of e-mail.
Changes in librpc/idl/svcctl.idl is just a dirty hack, because of lack
of some idl types.
What I have changed in svcctl.idl:
1. svcctl_OpenServiceW - quite clean patch
a) Parameter ServiceName cannot be null, so ndr_push_*_ptr should not be
generated by pidl, adding [ref] before parameter solves the problem
b) function returns policy_handle* so I have added "[out,ref]
policy_handle *handle".
2. svcctl_CreateServiceW - dirty patch
a) Changed 'handle' to 'scmanager_handle' - I have reserved 'handle' to
service handle, and it is more compatible with svcctl_OpenServiceW
b) ServiceName - added [ref], as in point 1a
c) binary_path - added [ref], as in point 1a (according to msdn it also
cannot be null)
d) TagId - it is used also as input (if null, windows do not fill
*TagId), so I've changed it to "[in,out] uint32 *TagId"
e) dependencies - (dirty part) - according to msdn it is a "Pointer to a
double null-terminated array of null-separated names", and how it is
encoded by idl:
Sample, fragment of network packet with two dependencies (ahdep1,ahdep2):
0150 90 9b 09 00 1e 00 ................
0160 00 00 61 00 68 00 64 00 65 00 70 00 31 00 00 00 ..a.h.d.e.p.1...
0170 61 00 68 00 64 00 65 00 70 00 32 00 00 00 00 00 a.h.d.e.p.2.....
0180 00 00 1e 00 00 00
So we have:
- some ptr (4bytes) length of array (4bytes) - 90 9b 09 00
- length of array in bytes (4 bytes) - 1e 00 00 00
- "double null-terminated array of null-separated names" in utf16 (0x1e
bytes)- 61 00 68 00 64 00 65 00 70 00 31 00 00 00 61 00 68 00 64 00 65
00 70 00 32 00 00 00 00 00
- alignment (2 bytes) - 00 00
- again length of array in bytes (4 bytes) - 1e 00 00 00
I haven't find this kind of type in idl, so I have dirty encoded it as:
[in] [string,charset(UTF16)] uint16 *dependencies,
[in] uint32 fix_len_dependencies,
For null dependencies it works flawlessly :)
f) password - similar story:
after encryption (I do not know what algorithm is used, any guesses?)
password is saved as array of bytes in format:
-some ptr (4bytes),
-length in bytes(4bytes),
-array (length bytes),
-again length in bytes (4bytes)
I've made again a dirty hack:
[in] [string,charset(UTF16)] uint16 *password,
[in] uint32 fix_len_password,
And again it works OK with null passwords.
g) Added result:
[out,ref] policy_handle *handle
I hope it will be helpful to somebody.
Andrzej Hajda
And promised diff:
===================================================================
--- librpc/idl/svcctl.idl (revision 16714)
+++ librpc/idl/svcctl.idl (working copy)
@@ -164,19 +164,22 @@
/*****************/
/* Function 0x0c */
- WERROR svcctl_CreateServiceW([in,ref] policy_handle *handle,
- [in]
[string,charset(UTF16)] uint16 *ServiceName,
+ WERROR svcctl_CreateServiceW([in,ref] policy_handle
*scmanager_handle,
+ [in,ref]
[string,charset(UTF16)] uint16 *ServiceName,
[in]
[string,charset(UTF16)] uint16 *DisplayName,
[in]
uint32 desired_access,
[in]
uint32 type,
[in]
uint32 start_type,
[in]
uint32 error_control,
- [in]
[string,charset(UTF16)] uint16 *binary_path,
+ [in,ref]
[string,charset(UTF16)] uint16 *binary_path,
[in]
[string,charset(UTF16)] uint16 *LoadOrderGroupKey,
- [out]
uint32 *TagId,
+ [in,out]
uint32 *TagId,
[in]
[string,charset(UTF16)] uint16 *dependencies,
+ [in]
uint32 fix_len_dependencies,
[in]
[string,charset(UTF16)] uint16 *service_start_name,
- [in]
[string,charset(UTF16)] uint16 *password);
+ [in]
[string,charset(UTF16)] uint16 *password,
+ [in]
uint32 fix_len_password,
+
[out,ref] policy_handle *handle);
/*****************/
/* Function 0x0d */
@@ -210,8 +213,9 @@
/*****************/
/* Function 0x10 */
WERROR svcctl_OpenServiceW([in,ref] policy_handle *scmanager_handle,
- [in]
[string,charset(UTF16)] uint16 *ServiceName,
- [in] uint32
access_mask);
+ [in,ref]
[string,charset(UTF16)] uint16 *ServiceName,
+ [in] uint32
access_mask,
+ [out,ref]
policy_handle *handle);
/*****************/
/* Function 0x11 */
===================================================================
More information about the samba-technical
mailing list