Add support for LSARPC OpenPolicy, QueryInformationPolicy, LookupSids…

…, CloseHandle

lib/ruby_smb/dcerpc/error.rb

@@ -47,6 +47,9 @@ class CommunicationError < DcerpcError; end
       # Raised when an error is returned during a Epm operation
       class EpmError < DcerpcError; end
 
+      # Raised when an error is returned during an LSARPC operation
+      class LsarpcError < DcerpcError; end
+
       # Raised when an error is returned during a Dfsnm operation
       class DfsnmError < DcerpcError
         include RubySMB::Error::UnexpectedStatusCode::Mixin

lib/ruby_smb/dcerpc/lsarpc/lsar_close_handle_request.rb

@@ -0,0 +1,22 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+
+      # This class represents a LsarClose Request Packet as defined in
+      # [3.1.4.9.4 LsarClose (Opnum 0)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/99dd2d7a-b0fc-4c6d-837a-2b4d342383ae)
+      class LsarCloseHandleRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        lsapr_handle :policy_handle
+
+        def initialize_instance
+          super
+          @opnum = LSAR_CLOSE_HANDLE
+        end
+      end
+
+    end
+  end
+end

lib/ruby_smb/dcerpc/lsarpc/lsar_close_handle_response.rb

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+
+      # This class represents a LsarClose Response Packet as defined in
+      # [3.1.4.9.4 LsarClose (Opnum 0)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/99dd2d7a-b0fc-4c6d-837a-2b4d342383ae)
+      class LsarCloseHandleResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        lsapr_handle :policy_handle
+        ndr_uint32   :error_status
+
+        def initialize_instance
+          super
+          @opnum = LSAR_CLOSE_HANDLE
+        end
+      end
+
+    end
+  end
+end

lib/ruby_smb/dcerpc/lsarpc/lsar_lookup_sids_request.rb

@@ -0,0 +1,26 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+
+      # This class represents a LsarLookupSids Request Packet as defined in
+      # [3.1.4.11 LsarLookupSids (Opnum 15)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsat/eb7ac899-e697-4883-93de-1e60c7720c02)
+      class LsarLookupSidsRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        lsapr_handle           :policy_handle
+        lsapr_sid_enum_buffer  :sid_enum_buffer
+        lsapr_translated_names :translated_names
+        ndr_uint16             :lookup_level
+        ndr_uint32             :mapped_count
+
+        def initialize_instance
+          super
+          @opnum = LSAR_LOOKUP_SIDS
+        end
+      end
+
+    end
+  end
+end

lib/ruby_smb/dcerpc/lsarpc/lsar_lookup_sids_response.rb

@@ -0,0 +1,25 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+
+      # This class represents a LsarLookupSids Response Packet as defined in
+      # [3.1.4.11 LsarLookupSids (Opnum 15)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsat/eb7ac899-e697-4883-93de-1e60c7720c02)
+      class LsarLookupSidsResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        lsapr_referenced_domain_list_ptr :referenced_domains
+        lsapr_translated_names           :translated_names
+        ndr_uint32                       :mapped_count
+        ndr_uint32                       :error_status
+
+        def initialize_instance
+          super
+          @opnum = LSAR_LOOKUP_SIDS
+        end
+      end
+
+    end
+  end
+end

lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy_2_request.rb

@@ -0,0 +1,24 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+
+      # This class represents a LsarOpenPolicy2 Request Packet as defined in
+      # [3.1.4.4.1 LsarOpenPolicy2 (Opnum 44)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/9456a963-7c21-4710-af77-d0a2f5a72d6b)
+      class LsarOpenPolicy2Request < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_wide_stringz_ptr    :system_name
+        lsapr_object_attributes :object_attributes
+        ndr_uint32              :access_mask
+
+        def initialize_instance
+          super
+          @opnum = LSAR_OPEN_POLICY_2
+        end
+      end
+
+    end
+  end
+end

lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy_2_response.rb

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+
+      # This class represents a LsarOpenPolicy2 Response Packet as defined in
+      # [3.1.4.4.1 LsarOpenPolicy2 (Opnum 44)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/9456a963-7c21-4710-af77-d0a2f5a72d6b)
+      class LsarOpenPolicy2Response < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        lsapr_handle :policy_handle
+        ndr_uint32   :error_status
+
+        def initialize_instance
+          super
+          @opnum = LSAR_OPEN_POLICY_2
+        end
+      end
+
+    end
+  end
+end

lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy_request.rb

@@ -0,0 +1,24 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+
+      # This class represents a LsarOpenPolicy Request Packet as defined in
+      # [3.1.4.4.2 LsarOpenPolicy (Opnum 6)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/2a482ccf-1f89-4693-8594-855ff738ae8a)
+      class LsarOpenPolicyRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_wide_string_ptr     :system_name
+        lsapr_object_attributes :object_attributes
+        ndr_uint32              :access_mask
+
+        def initialize_instance
+          super
+          @opnum = LSAR_OPEN_POLICY
+        end
+      end
+
+    end
+  end
+end

lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy_response.rb

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+
+      # This class represents a LsarOpenPolicy Response Packet as defined in
+      # [3.1.4.4.2 LsarOpenPolicy (Opnum 6)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/2a482ccf-1f89-4693-8594-855ff738ae8a)
+      class LsarOpenPolicyResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        lsapr_handle :policy_handle
+        ndr_uint32   :error_status
+
+        def initialize_instance
+          super
+          @opnum = LSAR_OPEN_POLICY
+        end
+      end
+
+    end
+  end
+end

lib/ruby_smb/dcerpc/lsarpc/lsar_query_information_policy_2_request.rb

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+
+      # This class represents a LsarQueryInformationPolicy2 Request Packet as defined in
+      # [3.1.4.4.4 LsarQueryInformationPolicy2 (Opnum 46)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/516f503c-0230-489d-b012-e650b46b66a2)
+      class LsarQueryInformationPolicy2Request < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        lsapr_handle :policy_handle
+        ndr_uint32   :information_class
+
+        def initialize_instance
+          super
+          @opnum = LSAR_QUERY_INFORMATION_POLICY_2
+        end
+      end
+
+    end
+  end
+end

lib/ruby_smb/dcerpc/lsarpc/lsar_query_information_policy_2_response.rb

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+
+      # This class represents a LsarQueryInformationPolicy2 Response Packet as defined in
+      # [3.1.4.4.4 LsarQueryInformationPolicy2 (Opnum 46)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/516f503c-0230-489d-b012-e650b46b66a2)
+      class LsarQueryInformationPolicy2Response < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        lsapr_policy_information_ptr :policy_information
+        ndr_uint32                   :error_status
+
+        def initialize_instance
+          super
+          @opnum = LSAR_QUERY_INFORMATION_POLICY_2
+        end
+      end
+
+    end
+  end
+end

lib/ruby_smb/dcerpc/lsarpc/lsar_query_information_policy_request.rb

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+
+      # This class represents a LsarQueryInformationPolicy Request Packet as defined in
+      # [3.1.4.4.4 LsarQueryInformationPolicy (Opnum 7)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/3564ba70-84ea-4f04-a9dc-dede9f96a8bf)
+      class LsarQueryInformationPolicyRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        lsapr_handle :policy_handle
+        ndr_uint32   :information_class
+
+        def initialize_instance
+          super
+          @opnum = LSAR_QUERY_INFORMATION_POLICY
+        end
+      end
+
+    end
+  end
+end

lib/ruby_smb/dcerpc/lsarpc/lsar_query_information_policy_response.rb

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+
+      # This class represents a LsarQueryInformationPolicy Response Packet as defined in
+      # [3.1.4.4.4 LsarQueryInformationPolicy (Opnum 7)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/3564ba70-84ea-4f04-a9dc-dede9f96a8bf)
+      class LsarQueryInformationPolicyResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        lsapr_policy_information_ptr :policy_information
+        ndr_uint32                   :error_status
+
+        def initialize_instance
+          super
+          @opnum = LSAR_QUERY_INFORMATION_POLICY
+        end
+      end
+
+    end
+  end
+end

lib/ruby_smb/dcerpc/request.rb

@@ -111,6 +111,14 @@ class Request < BinData::Record
           efs_rpc_query_recovery_agents_request Efsrpc::EFS_RPC_QUERY_RECOVERY_AGENTS
           efs_rpc_query_users_on_file_request   Efsrpc::EFS_RPC_QUERY_USERS_ON_FILE
         end
+        choice 'Lsarpc', selection: -> { opnum } do
+          lsar_open_policy_request               Lsarpc::LSAR_OPEN_POLICY
+          lsar_open_policy2_request              Lsarpc::LSAR_OPEN_POLICY_2
+          lsar_query_information_policy_request  Lsarpc::LSAR_QUERY_INFORMATION_POLICY
+          lsar_query_information_policy2_request Lsarpc::LSAR_QUERY_INFORMATION_POLICY_2
+          lsar_close_handle_request              Lsarpc::LSAR_CLOSE_HANDLE
+          lsar_lookup_sids_request               Lsarpc::LSAR_LOOKUP_SIDS
+        end
         string :default
       end
 

lib/ruby_smb/dcerpc/samr/rpc_sid.rb

@@ -107,7 +107,7 @@ def assign(val)
           case val
           when String
             elems = val.split('-')
-            raise ArgumentError, "Wrong SID format" unless elems[0].downcase == 's'
+            raise ArgumentError, "Wrong SID format for #{val.inspect}" unless elems[0].downcase == 's'
             self.revision = elems[1].to_i
             self.sub_authority_count = elems[3..-1].size
             self.identifier_authority = [0, 0, 0, 0, 0, elems[2].to_i]

spec/lib/ruby_smb/dcerpc/lsarpc/lsar_close_handle_request_spec.rb

@@ -0,0 +1,40 @@
+RSpec.describe RubySMB::Dcerpc::Lsarpc::LsarCloseHandleRequest do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :policy_handle }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#policy_handle' do
+    it 'is an LsaprHandle structure' do
+      expect(packet.policy_handle).to be_a RubySMB::Dcerpc::Lsarpc::LsaprHandle
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to LSAR_CLOSE_HANDLE constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Lsarpc::LSAR_CLOSE_HANDLE)
+    end
+  end
+  it 'reads itself' do
+    new_packet = described_class.new({
+                                       policy_handle: {
+                                         context_handle_attributes: 0,
+                                         context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+                                       }
+                                     })
+    expected_output = {
+      policy_handle: {
+        context_handle_attributes: 0,
+        context_handle_uuid: "fc873b90-d9a9-46a4-b9ea-f44bb1c272a7"
+      }
+    }
+    expect(packet.read(new_packet.to_binary_s)).to eq(expected_output)
+  end
+end
+
+