need more information about unknown bytes in RPC call

[Matthieu Patou]

On 07/13/2009 02:48 PM, Stefan (metze) Metzmacher wrote:
> Hi Matthieu,
>
>    
>> With the help of my netlogon dissector I'm sure that what ever version
>> of windows there is always undocumented bytes in netlogon and drsuapi
>> and LSA calls. They have the particularity to begin with the same
>> "signature": 8a e3 13 71 02 f4 36 71 01 40 04 00 01 00 00 00
>>
>> For GetDomainInfo and LogonSamLogonWithFlags (when level == 6) and  it is :
>>
>> 8a e3 13 71 02 f4 36 71 01 40 04 00 01 00 00 00
>>
>> For DsBind
>> 0000   8a e3 13 71 02 f4 36 71 01 00 04 00 01 00 00 00  ...q..6q........
>> 0010   02 40 28 00 35 42 51 e3 06 4b d1 11 ab 04 00 c0  .@(.5BQ..K......
>> 0020   4f c2 dc d2 04 00 00 00 04 5d 88 8a eb 1c c9 11  O........]......
>> 0030   9f e8 08 00 2b 10 48 60 02 00 00 00              ....+.H`....
>>
>> For LookupSid3Request
>> 0000   8a e3 13 71 02 f4 36 71 01 00 04 00 01 00 00 00  ...q..6q........
>> 0010   02 40 28 00 78 57 34 12 34 12 cd ab ef 00 01 23  .@(.xW4.4......#
>> 0020   45 67 89 ab 00 00 00 00 04 5d 88 8a eb 1c c9 11  Eg.......]......
>> 0030   9f e8 08 00 2b 10 48 60 02 00 00 00              ....+.H`....
>>
>> For LogonSamLogonEx
>> 0000   8a e3 13 71 02 f4 36 71 01 00 04 00 01 00 00 00  ...q..6q........
>> 0010   02 40 28 00 78 56 34 12 34 12 cd ab ef 00 01 23  .@(.xV4.4......#
>> 0020   45 67 cf fb 01 00 00 00 04 5d 88 8a eb 1c c9 11  Eg.......]......
>> 0030   9f e8 08 00 2b 10 48 60 02 00 00 00              ....+.H`....
>>
>> I can't stop thinking that something (maybe useful maybe not) is hidden
>> in it.
>> Can we ask the guys from wspp for more information ?
>>      
>
> I'd guess it's just garbage, but feel free to ask them...
>
> metze
>    
Yeah I know your point of view and andrew's as well but I found very 
strange to have the same "garbage" in xp, w2k3 and w2k8 and have it also 
in a very constant way ... looks a bit weird to me but I am not an 
expert in MS weirdness ...