>From 1e3535af4a752f74fdbbe36dcb1b2cfbd2fd39a2 Mon Sep 17 00:00:00 2001 From: Matthieu Patou Date: Sun, 6 Oct 2013 17:08:20 -0700 Subject: [PATCH 06/21] Update generated file for efs Signed-off-by: Matthieu Patou --- epan/dissectors/packet-dcerpc-efs.c | 215 ++++++++++++++++++++---------------- 1 file changed, 122 insertions(+), 93 deletions(-) diff --git a/epan/dissectors/packet-dcerpc-efs.c b/epan/dissectors/packet-dcerpc-efs.c index c48f667..f7992e1 100644 --- a/epan/dissectors/packet-dcerpc-efs.c +++ b/epan/dissectors/packet-dcerpc-efs.c @@ -12,7 +12,6 @@ #include "config.h" - #ifdef _MSC_VER #pragma warning(disable:4005) #pragma warning(disable:4013) @@ -39,38 +38,38 @@ static gint ett_efs_ENCRYPTION_CERTIFICATE = -1; /* Header field declarations */ -static gint hf_efs_EfsRpcCloseRaw_pvContext = -1; -static gint hf_efs_EfsRpcSetFileEncryptionKey_pEncryptionCertificate = -1; +static gint hf_efs_EfsRpcQueryUsersOnFile_pUsers = -1; +static gint hf_efs_EfsRpcDecryptFileSrv_FileName = -1; +static gint hf_efs_EfsRpcEncryptFileSrv_Filename = -1; static gint hf_efs_EfsRpcOpenFileRaw_pvContext = -1; -static gint hf_efs_ENCRYPTION_CERTIFICATE_HASH_pUserSid = -1; +static gint hf_efs_ENCRYPTION_CERTIFICATE_TotalLength = -1; +static gint hf_efs_EFS_CERTIFICATE_BLOB_dwCertEncodingType = -1; +static gint hf_efs_ENCRYPTION_CERTIFICATE_pCertBlob = -1; +static gint hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers = -1; +static gint hf_efs_EfsRpcWriteFileRaw_pvContext = -1; +static gint hf_efs_EFS_HASH_BLOB_pbData = -1; +static gint hf_efs_EfsRpcAddUsersToFile_FileName = -1; static gint hf_efs_EfsRpcReadFileRaw_pvContext = -1; +static gint hf_efs_werror = -1; +static gint hf_efs_EfsRpcSetFileEncryptionKey_pEncryptionCertificate = -1; static gint hf_efs_EfsRpcQueryRecoveryAgents_FileName = -1; -static gint hf_efs_EfsRpcQueryUsersOnFile_FileName = -1; static gint hf_efs_EfsRpcOpenFileRaw_FileName = -1; -static gint hf_efs_ENCRYPTION_CERTIFICATE_pCertBlob = -1; static gint hf_efs_opnum = -1; -static gint hf_efs_EFS_HASH_BLOB_pbData = -1; -static gint hf_efs_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation = -1; -static gint hf_efs_EfsRpcOpenFileRaw_Flags = -1; -static gint hf_efs_EFS_CERTIFICATE_BLOB_pbData = -1; static gint hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash = -1; -static gint hf_efs_EfsRpcEncryptFileSrv_Filename = -1; -static gint hf_efs_EfsRpcRemoveUsersFromFile_FileName = -1; -static gint hf_efs_EfsRpcQueryUsersOnFile_pUsers = -1; -static gint hf_efs_EfsRpcDecryptFileSrv_FileName = -1; -static gint hf_efs_ENCRYPTION_CERTIFICATE_TotalLength = -1; -static gint hf_efs_EfsRpcAddUsersToFile_FileName = -1; -static gint hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents = -1; +static gint hf_efs_EfsRpcDecryptFileSrv_Reserved = -1; static gint hf_efs_ENCRYPTION_CERTIFICATE_HASH_pHash = -1; -static gint hf_efs_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength = -1; -static gint hf_efs_werror = -1; -static gint hf_efs_EFS_HASH_BLOB_cbData = -1; -static gint hf_efs_EfsRpcWriteFileRaw_pvContext = -1; -static gint hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers = -1; +static gint hf_efs_ENCRYPTION_CERTIFICATE_HASH_pUserSid = -1; static gint hf_efs_ENCRYPTION_CERTIFICATE_pUserSid = -1; -static gint hf_efs_EFS_CERTIFICATE_BLOB_dwCertEncodingType = -1; -static gint hf_efs_EfsRpcDecryptFileSrv_Reserved = -1; +static gint hf_efs_EFS_CERTIFICATE_BLOB_pbData = -1; +static gint hf_efs_EFS_HASH_BLOB_cbData = -1; +static gint hf_efs_EfsRpcCloseRaw_pvContext = -1; static gint hf_efs_EFS_CERTIFICATE_BLOB_cbData = -1; +static gint hf_efs_EfsRpcQueryUsersOnFile_FileName = -1; +static gint hf_efs_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength = -1; +static gint hf_efs_EfsRpcOpenFileRaw_Flags = -1; +static gint hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents = -1; +static gint hf_efs_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation = -1; +static gint hf_efs_EfsRpcRemoveUsersFromFile_FileName = -1; static gint proto_dcerpc_efs = -1; /* Version information */ @@ -147,7 +146,7 @@ efs_dissect_struct_dom_sid(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_ /* IDL: struct { */ /* IDL: uint32 cbData; */ -/* IDL: [size_is(cbData)] [unique(1)] uint8 *pbData; */ +/* IDL: [unique(1)] [size_is(cbData)] uint8 *pbData; */ /* IDL: } */ static int @@ -187,14 +186,15 @@ efs_dissect_struct_EFS_HASH_BLOB(tvbuff_t *tvb _U_, int offset _U_, packet_info { proto_item *item = NULL; proto_tree *tree = NULL; + dcerpc_info *di = (dcerpc_info *)pinfo->private_data; int old_offset; - ALIGN_TO_4_BYTES; + ALIGN_TO_5_BYTES; old_offset = offset; if (parent_tree) { - item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA); tree = proto_item_add_subtree(item, ett_efs_EFS_HASH_BLOB); } @@ -205,6 +205,11 @@ efs_dissect_struct_EFS_HASH_BLOB(tvbuff_t *tvb _U_, int offset _U_, packet_info proto_item_set_len(item, offset-old_offset); + + if (di->call_data->flags & DCERPC_IS_NDR64) { + ALIGN_TO_5_BYTES; + } + return offset; } @@ -213,7 +218,7 @@ efs_dissect_struct_EFS_HASH_BLOB(tvbuff_t *tvb _U_, int offset _U_, packet_info /* IDL: uint32 cbTotalLength; */ /* IDL: [unique(1)] dom_sid *pUserSid; */ /* IDL: [unique(1)] EFS_HASH_BLOB *pHash; */ -/* IDL: [charset(UTF16)] [unique(1)] uint16 *lpDisplayInformation; */ +/* IDL: [unique(1)] [charset(UTF16)] uint16 *lpDisplayInformation; */ /* IDL: } */ static int @@ -280,14 +285,15 @@ efs_dissect_struct_ENCRYPTION_CERTIFICATE_HASH(tvbuff_t *tvb _U_, int offset _U_ { proto_item *item = NULL; proto_tree *tree = NULL; + dcerpc_info *di = (dcerpc_info *)pinfo->private_data; int old_offset; - ALIGN_TO_4_BYTES; + ALIGN_TO_5_BYTES; old_offset = offset; if (parent_tree) { - item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA); tree = proto_item_add_subtree(item, ett_efs_ENCRYPTION_CERTIFICATE_HASH); } @@ -302,13 +308,18 @@ efs_dissect_struct_ENCRYPTION_CERTIFICATE_HASH(tvbuff_t *tvb _U_, int offset _U_ proto_item_set_len(item, offset-old_offset); + + if (di->call_data->flags & DCERPC_IS_NDR64) { + ALIGN_TO_5_BYTES; + } + return offset; } /* IDL: struct { */ /* IDL: uint32 nCert_Hash; */ -/* IDL: [size_is(nCert_Hash)] [unique(1)] ENCRYPTION_CERTIFICATE_HASH *pUsers[*]; */ +/* IDL: [unique(1)] [size_is(nCert_Hash)] ENCRYPTION_CERTIFICATE_HASH *pUsers[*]; */ /* IDL: } */ static int @@ -348,14 +359,15 @@ efs_dissect_struct_ENCRYPTION_CERTIFICATE_HASH_LIST(tvbuff_t *tvb _U_, int offse { proto_item *item = NULL; proto_tree *tree = NULL; + dcerpc_info *di = (dcerpc_info *)pinfo->private_data; int old_offset; - ALIGN_TO_4_BYTES; + ALIGN_TO_5_BYTES; old_offset = offset; if (parent_tree) { - item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA); tree = proto_item_add_subtree(item, ett_efs_ENCRYPTION_CERTIFICATE_HASH_LIST); } @@ -366,6 +378,11 @@ efs_dissect_struct_ENCRYPTION_CERTIFICATE_HASH_LIST(tvbuff_t *tvb _U_, int offse proto_item_set_len(item, offset-old_offset); + + if (di->call_data->flags & DCERPC_IS_NDR64) { + ALIGN_TO_5_BYTES; + } + return offset; } @@ -373,7 +390,7 @@ efs_dissect_struct_ENCRYPTION_CERTIFICATE_HASH_LIST(tvbuff_t *tvb _U_, int offse /* IDL: struct { */ /* IDL: uint32 dwCertEncodingType; */ /* IDL: uint32 cbData; */ -/* IDL: [size_is(cbData)] [unique(1)] uint8 *pbData; */ +/* IDL: [unique(1)] [size_is(cbData)] uint8 *pbData; */ /* IDL: } */ static int @@ -421,14 +438,15 @@ efs_dissect_struct_EFS_CERTIFICATE_BLOB(tvbuff_t *tvb _U_, int offset _U_, packe { proto_item *item = NULL; proto_tree *tree = NULL; + dcerpc_info *di = (dcerpc_info *)pinfo->private_data; int old_offset; - ALIGN_TO_4_BYTES; + ALIGN_TO_5_BYTES; old_offset = offset; if (parent_tree) { - item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA); tree = proto_item_add_subtree(item, ett_efs_EFS_CERTIFICATE_BLOB); } @@ -441,6 +459,11 @@ efs_dissect_struct_EFS_CERTIFICATE_BLOB(tvbuff_t *tvb _U_, int offset _U_, packe proto_item_set_len(item, offset-old_offset); + + if (di->call_data->flags & DCERPC_IS_NDR64) { + ALIGN_TO_5_BYTES; + } + return offset; } @@ -496,14 +519,15 @@ efs_dissect_struct_ENCRYPTION_CERTIFICATE(tvbuff_t *tvb _U_, int offset _U_, pac { proto_item *item = NULL; proto_tree *tree = NULL; + dcerpc_info *di = (dcerpc_info *)pinfo->private_data; int old_offset; - ALIGN_TO_4_BYTES; + ALIGN_TO_5_BYTES; old_offset = offset; if (parent_tree) { - item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA); tree = proto_item_add_subtree(item, ett_efs_ENCRYPTION_CERTIFICATE); } @@ -516,6 +540,11 @@ efs_dissect_struct_ENCRYPTION_CERTIFICATE(tvbuff_t *tvb _U_, int offset _U_, pac proto_item_set_len(item, offset-old_offset); + + if (di->call_data->flags & DCERPC_IS_NDR64) { + ALIGN_TO_5_BYTES; + } + return offset; } @@ -556,7 +585,7 @@ efs_dissect_element_EfsRpcOpenFileRaw_Flags(tvbuff_t *tvb _U_, int offset _U_, p /* IDL: WERROR EfsRpcOpenFileRaw( */ /* IDL: [out] [ref] policy_handle *pvContext, */ -/* IDL: [charset(UTF16)] [in] uint16 FileName[*], */ +/* IDL: [in] [charset(UTF16)] uint16 FileName[*], */ /* IDL: [in] uint32 Flags */ /* IDL: ); */ @@ -725,7 +754,7 @@ efs_dissect_element_EfsRpcEncryptFileSrv_Filename(tvbuff_t *tvb _U_, int offset } /* IDL: WERROR EfsRpcEncryptFileSrv( */ -/* IDL: [charset(UTF16)] [in] uint16 Filename[*] */ +/* IDL: [in] [charset(UTF16)] uint16 Filename[*] */ /* IDL: ); */ static int @@ -771,7 +800,7 @@ efs_dissect_element_EfsRpcDecryptFileSrv_Reserved(tvbuff_t *tvb _U_, int offset } /* IDL: WERROR EfsRpcDecryptFileSrv( */ -/* IDL: [charset(UTF16)] [in] uint16 FileName[*], */ +/* IDL: [in] [charset(UTF16)] uint16 FileName[*], */ /* IDL: [in] uint32 Reserved */ /* IDL: ); */ @@ -822,7 +851,7 @@ efs_dissect_element_EfsRpcQueryUsersOnFile_pUsers(tvbuff_t *tvb _U_, int offset static int efs_dissect_element_EfsRpcQueryUsersOnFile_pUsers_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_element_EfsRpcQueryUsersOnFile_pUsers__, NDR_POINTER_REF, "Pointer to Pusers (ENCRYPTION_CERTIFICATE_HASH_LIST)",hf_efs_EfsRpcQueryUsersOnFile_pUsers); + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_element_EfsRpcQueryUsersOnFile_pUsers__, NDR_POINTER_UNIQUE, "Pointer to Pusers (ENCRYPTION_CERTIFICATE_HASH_LIST)",hf_efs_EfsRpcQueryUsersOnFile_pUsers); return offset; } @@ -836,7 +865,7 @@ efs_dissect_element_EfsRpcQueryUsersOnFile_pUsers__(tvbuff_t *tvb _U_, int offse } /* IDL: WERROR EfsRpcQueryUsersOnFile( */ -/* IDL: [charset(UTF16)] [in] uint16 FileName[*], */ +/* IDL: [in] [charset(UTF16)] uint16 FileName[*], */ /* IDL: [out] [unique(1)] [ref] ENCRYPTION_CERTIFICATE_HASH_LIST **pUsers */ /* IDL: ); */ @@ -888,7 +917,7 @@ efs_dissect_element_EfsRpcQueryRecoveryAgents_pRecoveryAgents(tvbuff_t *tvb _U_, static int efs_dissect_element_EfsRpcQueryRecoveryAgents_pRecoveryAgents_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_element_EfsRpcQueryRecoveryAgents_pRecoveryAgents__, NDR_POINTER_REF, "Pointer to Precoveryagents (ENCRYPTION_CERTIFICATE_HASH_LIST)",hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents); + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_element_EfsRpcQueryRecoveryAgents_pRecoveryAgents__, NDR_POINTER_UNIQUE, "Pointer to Precoveryagents (ENCRYPTION_CERTIFICATE_HASH_LIST)",hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents); return offset; } @@ -902,7 +931,7 @@ efs_dissect_element_EfsRpcQueryRecoveryAgents_pRecoveryAgents__(tvbuff_t *tvb _U } /* IDL: WERROR EfsRpcQueryRecoveryAgents( */ -/* IDL: [charset(UTF16)] [in] uint16 FileName[*], */ +/* IDL: [in] [charset(UTF16)] uint16 FileName[*], */ /* IDL: [out] [unique(1)] [ref] ENCRYPTION_CERTIFICATE_HASH_LIST **pRecoveryAgents */ /* IDL: ); */ @@ -944,7 +973,7 @@ efs_dissect_element_EfsRpcRemoveUsersFromFile_FileName(tvbuff_t *tvb _U_, int of } /* IDL: WERROR EfsRpcRemoveUsersFromFile( */ -/* IDL: [charset(UTF16)] [in] uint16 FileName[*] */ +/* IDL: [in] [charset(UTF16)] uint16 FileName[*] */ /* IDL: ); */ static int @@ -982,7 +1011,7 @@ efs_dissect_element_EfsRpcAddUsersToFile_FileName(tvbuff_t *tvb _U_, int offset } /* IDL: WERROR EfsRpcAddUsersToFile( */ -/* IDL: [charset(UTF16)] [in] uint16 FileName[*] */ +/* IDL: [in] [charset(UTF16)] uint16 FileName[*] */ /* IDL: ); */ static int @@ -1162,70 +1191,70 @@ static dcerpc_sub_dissector efs_dissectors[] = { void proto_register_dcerpc_efs(void) { static hf_register_info hf[] = { - { &hf_efs_EfsRpcCloseRaw_pvContext, - { "Pvcontext", "efs.EfsRpcCloseRaw.pvContext", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, - { &hf_efs_EfsRpcSetFileEncryptionKey_pEncryptionCertificate, - { "Pencryptioncertificate", "efs.EfsRpcSetFileEncryptionKey.pEncryptionCertificate", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_efs_EfsRpcQueryUsersOnFile_pUsers, + { "Pusers", "efs.EfsRpcQueryUsersOnFile.pUsers", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_efs_EfsRpcDecryptFileSrv_FileName, + { "Filename", "efs.EfsRpcDecryptFileSrv.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_efs_EfsRpcEncryptFileSrv_Filename, + { "Filename", "efs.EfsRpcEncryptFileSrv.Filename", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_efs_EfsRpcOpenFileRaw_pvContext, { "Pvcontext", "efs.EfsRpcOpenFileRaw.pvContext", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, - { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_pUserSid, - { "Pusersid", "efs.ENCRYPTION_CERTIFICATE_HASH.pUserSid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_efs_ENCRYPTION_CERTIFICATE_TotalLength, + { "Totallength", "efs.ENCRYPTION_CERTIFICATE.TotalLength", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_efs_EFS_CERTIFICATE_BLOB_dwCertEncodingType, + { "Dwcertencodingtype", "efs.EFS_CERTIFICATE_BLOB.dwCertEncodingType", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_efs_ENCRYPTION_CERTIFICATE_pCertBlob, + { "Pcertblob", "efs.ENCRYPTION_CERTIFICATE.pCertBlob", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers, + { "Pusers", "efs.ENCRYPTION_CERTIFICATE_HASH_LIST.pUsers", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_efs_EfsRpcWriteFileRaw_pvContext, + { "Pvcontext", "efs.EfsRpcWriteFileRaw.pvContext", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_efs_EFS_HASH_BLOB_pbData, + { "Pbdata", "efs.EFS_HASH_BLOB.pbData", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_efs_EfsRpcAddUsersToFile_FileName, + { "Filename", "efs.EfsRpcAddUsersToFile.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_efs_EfsRpcReadFileRaw_pvContext, { "Pvcontext", "efs.EfsRpcReadFileRaw.pvContext", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_efs_werror, + { "Windows Error", "efs.werror", FT_UINT32, BASE_HEX, VALS(WERR_errors), 0, NULL, HFILL }}, + { &hf_efs_EfsRpcSetFileEncryptionKey_pEncryptionCertificate, + { "Pencryptioncertificate", "efs.EfsRpcSetFileEncryptionKey.pEncryptionCertificate", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_efs_EfsRpcQueryRecoveryAgents_FileName, { "Filename", "efs.EfsRpcQueryRecoveryAgents.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, - { &hf_efs_EfsRpcQueryUsersOnFile_FileName, - { "Filename", "efs.EfsRpcQueryUsersOnFile.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_efs_EfsRpcOpenFileRaw_FileName, { "Filename", "efs.EfsRpcOpenFileRaw.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, - { &hf_efs_ENCRYPTION_CERTIFICATE_pCertBlob, - { "Pcertblob", "efs.ENCRYPTION_CERTIFICATE.pCertBlob", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_efs_opnum, { "Operation", "efs.opnum", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }}, - { &hf_efs_EFS_HASH_BLOB_pbData, - { "Pbdata", "efs.EFS_HASH_BLOB.pbData", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL }}, - { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation, - { "Lpdisplayinformation", "efs.ENCRYPTION_CERTIFICATE_HASH.lpDisplayInformation", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, - { &hf_efs_EfsRpcOpenFileRaw_Flags, - { "Flags", "efs.EfsRpcOpenFileRaw.Flags", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, - { &hf_efs_EFS_CERTIFICATE_BLOB_pbData, - { "Pbdata", "efs.EFS_CERTIFICATE_BLOB.pbData", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash, { "Ncert Hash", "efs.ENCRYPTION_CERTIFICATE_HASH_LIST.nCert_Hash", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, - { &hf_efs_EfsRpcEncryptFileSrv_Filename, - { "Filename", "efs.EfsRpcEncryptFileSrv.Filename", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, - { &hf_efs_EfsRpcRemoveUsersFromFile_FileName, - { "Filename", "efs.EfsRpcRemoveUsersFromFile.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, - { &hf_efs_EfsRpcQueryUsersOnFile_pUsers, - { "Pusers", "efs.EfsRpcQueryUsersOnFile.pUsers", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, - { &hf_efs_EfsRpcDecryptFileSrv_FileName, - { "Filename", "efs.EfsRpcDecryptFileSrv.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, - { &hf_efs_ENCRYPTION_CERTIFICATE_TotalLength, - { "Totallength", "efs.ENCRYPTION_CERTIFICATE.TotalLength", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, - { &hf_efs_EfsRpcAddUsersToFile_FileName, - { "Filename", "efs.EfsRpcAddUsersToFile.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, - { &hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents, - { "Precoveryagents", "efs.EfsRpcQueryRecoveryAgents.pRecoveryAgents", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_efs_EfsRpcDecryptFileSrv_Reserved, + { "Reserved", "efs.EfsRpcDecryptFileSrv.Reserved", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_pHash, { "Phash", "efs.ENCRYPTION_CERTIFICATE_HASH.pHash", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, - { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength, - { "Cbtotallength", "efs.ENCRYPTION_CERTIFICATE_HASH.cbTotalLength", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, - { &hf_efs_werror, - { "Windows Error", "efs.werror", FT_UINT32, BASE_HEX, VALS(WERR_errors), 0, NULL, HFILL }}, - { &hf_efs_EFS_HASH_BLOB_cbData, - { "Cbdata", "efs.EFS_HASH_BLOB.cbData", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, - { &hf_efs_EfsRpcWriteFileRaw_pvContext, - { "Pvcontext", "efs.EfsRpcWriteFileRaw.pvContext", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, - { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers, - { "Pusers", "efs.ENCRYPTION_CERTIFICATE_HASH_LIST.pUsers", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_pUserSid, + { "Pusersid", "efs.ENCRYPTION_CERTIFICATE_HASH.pUserSid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_efs_ENCRYPTION_CERTIFICATE_pUserSid, { "Pusersid", "efs.ENCRYPTION_CERTIFICATE.pUserSid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, - { &hf_efs_EFS_CERTIFICATE_BLOB_dwCertEncodingType, - { "Dwcertencodingtype", "efs.EFS_CERTIFICATE_BLOB.dwCertEncodingType", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, - { &hf_efs_EfsRpcDecryptFileSrv_Reserved, - { "Reserved", "efs.EfsRpcDecryptFileSrv.Reserved", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_efs_EFS_CERTIFICATE_BLOB_pbData, + { "Pbdata", "efs.EFS_CERTIFICATE_BLOB.pbData", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_efs_EFS_HASH_BLOB_cbData, + { "Cbdata", "efs.EFS_HASH_BLOB.cbData", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_efs_EfsRpcCloseRaw_pvContext, + { "Pvcontext", "efs.EfsRpcCloseRaw.pvContext", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_efs_EFS_CERTIFICATE_BLOB_cbData, { "Cbdata", "efs.EFS_CERTIFICATE_BLOB.cbData", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_efs_EfsRpcQueryUsersOnFile_FileName, + { "Filename", "efs.EfsRpcQueryUsersOnFile.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength, + { "Cbtotallength", "efs.ENCRYPTION_CERTIFICATE_HASH.cbTotalLength", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_efs_EfsRpcOpenFileRaw_Flags, + { "Flags", "efs.EfsRpcOpenFileRaw.Flags", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents, + { "Precoveryagents", "efs.EfsRpcQueryRecoveryAgents.pRecoveryAgents", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation, + { "Lpdisplayinformation", "efs.ENCRYPTION_CERTIFICATE_HASH.lpDisplayInformation", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_efs_EfsRpcRemoveUsersFromFile_FileName, + { "Filename", "efs.EfsRpcRemoveUsersFromFile.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, }; -- 1.8.1.2