v5

package
v0.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 18, 2022 License: GPL-3.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ResolveOxid  = 0
	SimplePing   = 1
	ComplexPing  = 2
	ServerAlive  = 3
	ResolveOxid2 = 4
	ServerAlive2 = 5
)

RPC Opnum

View Source 
const (
	PDURequest            = 0
	PDUPing               = 1
	PDUResponse           = 2
	PDUFault              = 3
	PDUWorking            = 4
	PDUNoCall             = 5
	PDUReject             = 6
	PDUAck                = 7
	PDUCl_Cancel          = 8
	PDUFack               = 9
	PDUCancel_Ack         = 10
	PDUBind               = 11
	PDUBind_Ack           = 12
	PDUBind_Nak           = 13
	PDUAlter_Context      = 14
	PDUAlter_Context_Resp = 15
	PDUShutdown           = 17
	PDUCo_Cancel          = 18
	PDUOrphaned           = 19
)

PDU PacketType https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm

View Source 
const (
	PDUFlagReserved_01 = 0x01
	PDUFlagLastFrag    = 0x02
	PDUFlagPending     = 0x03
	PDUFlagFrag        = 0x04
	PDUFlagNoFack      = 0x08
	PDUFlagMayBe       = 0x10
	PDUFlagIdemPotent  = 0x20
	PDUFlagBroadcast   = 0x40
	PDUFlagReserved_80 = 0x80
)

PDU PacketFlags https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm

View Source 
const (
	NDRSyntax   = "8a885d04-1ceb-11c9-9fe8-08002b104860" //Version 02, NDR64 data representation protocol
	NDR64Syntax = "71710533-BEBA-4937-8319-B5DBEF9CCC36" //Version 01, NDR64 data representation protocol
)

NDR 传输标准 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/b6090c2b-f44a-47a1-a13b-b82ade0137b2

View Source 
const (
	SERVICE_ALL_ACCESS        = 0x000F01FF
	SC_MANAGER_CREATE_SERVICE = 0x00000002
	SC_MANAGER_CONNECT        = 0x00000001
)

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/0d7a7011-9f41-470d-ad52-8535b47ac282 安全描述符

View Source 
const (
	RCloseServiceHandle         = 0
	RControlService             = 1
	RDeleteService              = 2
	RLockServiceDatabase        = 3
	RQueryServiceObjectSecurity = 4
	RSetServiceObjectSecurity   = 5
	RQueryServiceStatus         = 6
	RSetServiceStatus           = 7
	RUnlockServiceDatabase      = 8
	RNotifyBootConfigStatus     = 9
	RChangeServiceConfigW       = 11
	RCreateServiceW             = 12
	REnumDependentServicesW     = 13
	REnumServicesStatusW        = 14
	ROpenSCManagerW             = 15
	ROpenServiceW               = 16
	RQueryServiceConfigW        = 17
	RQueryServiceLockStatusW    = 18
	RStartServiceW              = 19
	RGetServiceDisplayNameW     = 20
	RGetServiceKeyNameW         = 21
	RChangeServiceConfigA       = 23
	RCreateServiceA             = 24
	REnumDependentServicesA     = 25
	REnumServicesStatusA        = 26
	ROpenSCManagerA             = 27
	ROpenServiceA               = 28
	RQueryServiceConfigA        = 29
	RQueryServiceLockStatusA    = 30
	RStartServiceA              = 31
	RGetServiceDisplayNameA     = 32
	RGetServiceKeyNameA         = 33
	REnumServiceGroupW          = 35
	RChangeServiceConfig2A      = 36
	RChangeServiceConfig2W      = 37
	RQueryServiceConfig2A       = 38
	RQueryServiceConfig2W       = 39
	RQueryServiceStatusEx       = 40
	REnumServicesStatusExA      = 41
	REnumServicesStatusExW      = 42
	RCreateServiceWOW64A        = 44
	RCreateServiceWOW64W        = 45
	RNotifyServiceStatusChange  = 47
	RGetNotifyResults           = 48
	RCloseNotifyHandle          = 49
	RControlServiceExA          = 50
	RControlServiceExW          = 51
	RQueryServiceConfigEx       = 56
	RCreateWowService           = 60
	ROpenSCManager2             = 64
)

opnum https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/0d7a7011-9f41-470d-ad52-8535b47ac282

View Source 
const (
	SERVICE_KERNEL_DRIVER       = 0x00000001
	SERVICE_FILE_SYSTEM_DRIVER  = 0x00000002
	SERVICE_WIN32_OWN_PROCESS   = 0x00000010
	SERVICE_WIN32_SHARE_PROCESS = 0x00000020
	SERVICE_INTERACTIVE_PROCESS = 0x00000100
)

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/6a8ca926-9477-4dd4-b766-692fab07227e dwServiceType 类型

View Source 
const (
	SERVICE_BOOT_START   = 0x00000000
	SERVICE_SYSTEM_START = 0x00000001
	SERVICE_AUTO_START   = 0x00000002
	SERVICE_DEMAND_START = 0x00000003
	SERVICE_DISABLED     = 0x00000004
)

dwStartType类型

View Source 
const (
	SERVICE_ERROR_IGNORE   = 0x00000000
	SERVICE_ERROR_NORMAL   = 0x00000001
	SERVICE_ERROR_SEVERE   = 0x00000002
	SERVICE_ERROR_CRITICAL = 0x00000003
)

dwErrorControl类型

Variables

This section is empty.

Functions

This section is empty.

Types

type AddressStruct 

type AddressStruct struct {
	NumEntries     uint16
	SecurityOffset uint16
}

解析的地址结构

type CtxEItemResponseStruct 

type CtxEItemResponseStruct struct {
	AckResult      uint16
	AckReason      uint16
	TransferSyntax []byte `smb:"fixed:16"` //16字节
	SyntaxVer      uint32
}

PDU CtxItem响应结构

type CtxEItemStruct 

type CtxEItemStruct struct {
	ContextId      uint16
	NumTransItems  uint8
	Reserved       uint8
	AbstractSyntax SyntaxIDStruct
	TransferSyntax SyntaxIDStruct
}

PDU CtxItem结构

type MSRPCBindAckStruct 

type MSRPCBindAckStruct struct {
	MSRPCHeaderStruct
	MaxXmitFrag   uint16
	MaxRecvFrag   uint16
	AssocGroup    uint32
	ScndryAddrlen uint16
	ScndryAddr    []byte `smb:"count:ScndryAddrlen"` //取决管道的长度
	NumResults    uint8
	CtxItem       CtxEItemResponseStruct
}

函数绑定响应结构

func NewMSRPCBindAck 

func NewMSRPCBindAck() MSRPCBindAckStruct

函数绑定响应

type MSRPCBindStruct 

type MSRPCBindStruct struct {
	MSRPCHeaderStruct
	MaxXmitFrag uint16 //4字节,发送大小协商
	MaxRecvFrag uint16 //4字节,接收大小协商
	AssocGroup  uint32
	NumCtxItems uint8
	Reserved    uint8
	Reserved2   uint16
	CtxItem     CtxEItemStruct
}

函数绑定请求结构

type MSRPCHeaderStruct 

type MSRPCHeaderStruct struct {
	Version            uint8
	VersionMinor       uint8
	PacketType         uint8
	PacketFlags        uint8
	DataRepresentation uint32 //4字节,小端排序,0x10
	FragLength         uint16 //2字节,整个结构的长度
	AuthLength         uint16
	CallId             uint32
}

MSRPC 标准头

func NewMSRPCHeader 

func NewMSRPCHeader() MSRPCHeaderStruct

type MSRPCRequestHeaderStruct 

type MSRPCRequestHeaderStruct struct {
	MSRPCHeaderStruct
	AllocHint uint32 `smb:"len:Buffer"` //Buffer的长度
	ContextId uint16
	OpNum     uint16
	Buffer    interface{}
}

func NewOpenSCManagerWRequest 

func NewOpenSCManagerWRequest() MSRPCRequestHeaderStruct

OpenSCManagerW请求 DWORD ROpenSCManagerW( 

[in, string, unique, range(0, SC_MAX_COMPUTER_NAME_LENGTH)] SVCCTL_HANDLEW lpMachineName,
[in, string, unique, range(0, SC_MAX_NAME_LENGTH)] wchar_t* lpDatabaseName,
[in] DWORD dwDesiredAccess,
[out] LPSC_RPC_HANDLE lpScHandle
);

lpMachineName:一种 SVCCTL_HANDLEW(第 2.2.3 节)数据类型,它定义指向以空字符结尾的 UNICODE 字符串的指针,该字符串指定服务器的机器名称。 lpDatabaseName:指向以空结尾的 UNICODE 字符串的指针,该字符串指定要打开的 SCM 数据库的名称。该参数必须设置为 NULL、“ServicesActive”或“ServicesFailed”。 dwDesiredAccess:一个值,指定对数据库的访问。这必须是第 3.1.4 节中指定的值之一。 客户端还必须具有 SC_MANAGER_CONNECT 访问权限。 lpScHandle:一种 LPSC_RPC_HANDLE 数据类型,用于定义新打开的 SCM 数据库的句柄。

func NewRCloseServiceHandleRequest 

func NewRCloseServiceHandleRequest(contextHandle []byte) MSRPCRequestHeaderStruct

初始化关闭服务句柄

func NewRCreateServiceWRequest 

func NewRCreateServiceWRequest(contextHandle []byte, servicename, uploadPathFile string) MSRPCRequestHeaderStruct

func NewRDeleteServiceRequest 

func NewRDeleteServiceRequest(contextHandle []byte) MSRPCRequestHeaderStruct

删除服务封装

func NewROpenServiceWRequest 

func NewROpenServiceWRequest(contextHandle []byte, servicename string) MSRPCRequestHeaderStruct

初始化打开服务请求

func NewRStartServiceWRequest 

func NewRStartServiceWRequest(contextHandle []byte) MSRPCRequestHeaderStruct

启动服务封装

type OpenSCManagerWResponse 

type OpenSCManagerWResponse struct {
	MSRPCHeaderStruct
	AllocHint     uint32
	ContextId     uint16
	CancelCount   uint8
	Reserved      uint8
	ContextHandle []byte `smb:"fixed:20"`
	ReturnCode    uint32
}

OpenSCManagerW响应结构

func NewOpenSCManagerWResponse 

func NewOpenSCManagerWResponse() OpenSCManagerWResponse

type OpenSCManagerWStruct 

type OpenSCManagerWStruct struct {
	MachineName machineName
	Database    database
	AccessMask  uint32
}

打开服务管理结构 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/dc84adb3-d51d-48eb-820d-ba1c6ca5faf2

type RCloseServiceHandleRequestStruct 

type RCloseServiceHandleRequestStruct struct {
	ContextHandle []byte `smb:"fixed:20"`
}

关闭服务句柄

type RCloseServiceHandleResponseStruct 

type RCloseServiceHandleResponseStruct struct {
	MSRPCHeaderStruct
	AllocHint     uint32
	ContextId     uint16
	CancelCount   uint8
	Reserved      uint8
	ContextHandle []byte `smb:"fixed:20"`
	ReturnCode    uint32
}

func NewRCloseServiceHandleResponse 

func NewRCloseServiceHandleResponse() RCloseServiceHandleResponseStruct

type RCreateServiceWRequestStruct 

type RCreateServiceWRequestStruct struct {
	ContextHandle       []byte `smb:"fixed:20"` //OpenSCManagerW 句柄
	ServiceName         serviceName
	DisplayName         displayName
	AccessMask          uint32
	ServiceType         uint32
	ServiceStartType    uint32
	ServiceErrorControl uint32
	BinaryPathName      binaryPathName
	NULLPointer         uint32
	TagId               uint32
	NULLPointer2        uint32
	DependSize          uint32
	NULLPointer3        uint32
	NULLPointer4        uint32
	PasswordSize        uint32
}

创建服务 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/6a8ca926-9477-4dd4-b766-692fab07227e

type RCreateServiceWResponseStruct 

type RCreateServiceWResponseStruct struct {
	MSRPCHeaderStruct
	AllocHint     uint32
	ContextId     uint16
	CancelCount   uint8
	Reserved      uint8
	TagId         uint32
	ContextHandle []byte `smb:"fixed:20"`
	ReturnCode    uint32
}

RCreateServiceW响应结构

func NewRCreateServiceWResponse 

func NewRCreateServiceWResponse() RCreateServiceWResponseStruct

type RDeleteServiceRequestStruct 

type RDeleteServiceRequestStruct struct {
	ContextHandle []byte `smb:"fixed:20"` //20字节,创建服务返回的句柄
}

删除服务结构 https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/6744cdb8-f162-4be0-bb31-98996b6495be

type RDeleteServiceResponseStruct 

type RDeleteServiceResponseStruct struct {
	MSRPCHeaderStruct
	AllocHint   uint32
	ContextId   uint16
	CancelCount uint8
	Reserved    uint8
	ReturnCode  uint32
}

func NewRDeleteServiceResponse 

func NewRDeleteServiceResponse() RDeleteServiceResponseStruct

删除服务响应

type ROpenServiceWRequestStruct 

type ROpenServiceWRequestStruct struct {
	ContextHandle []byte `smb:"fixed:20"` //OpenSCManagerW 句柄
	ServiceName   serviceName
	AccessMask    uint32
}

打开服务 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/6d0a4225-451b-4132-894d-7cef7aecfd2d

type ROpenServiceWResponseStruct 

type ROpenServiceWResponseStruct struct {
	MSRPCHeaderStruct
	AllocHint     uint32
	ContextId     uint16
	CancelCount   uint8
	Reserved      uint8
	ContextHandle []byte `smb:"fixed:20"`
	ReturnCode    uint32
}

func NewROpenServiceWResponse 

func NewROpenServiceWResponse() ROpenServiceWResponseStruct

type RStartServiceWRequestStruct 

type RStartServiceWRequestStruct struct {
	ContextHandle []byte `smb:"fixed:20"` //20字节,创建服务返回的句柄
	Argc          uint32 //argv字符串数量
	Argv          []byte `smb:"fixed:4"` //4字节,unicode对象指针
}

启动服务 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/d9be95a2-cf01-4bdc-b30f-6fe4b37ada16

type RStartServiceWResponseStruct 

type RStartServiceWResponseStruct struct {
	MSRPCHeaderStruct
	AllocHint   uint32
	ContextId   uint16
	CancelCount uint8
	Reserved    uint8
	StubData    uint32
}

func NewRStartServiceWResponse 

func NewRStartServiceWResponse() RStartServiceWResponseStruct

启动服务响应

type SMBClient 

type SMBClient struct {
	smb2.Client
}

func SMBTransport 

func SMBTransport() (client *SMBClient, err error)

连接封装 ncacn_np协议的实现

func (*SMBClient) CloseService 

func (c *SMBClient) CloseService(treeId uint32, fileId, serviceHandle []byte, callId uint32) error

smb->关闭scm句柄

func (*SMBClient) CreateService 

func (c *SMBClient) CreateService(treeId uint32, fileId, contextHandle []byte, servicename, uploadPathFile string, callId uint32) (handler []byte, err error)

smb->创建服务,返回创建服务后的实例句柄

func (*SMBClient) DeleteService 

func (c *SMBClient) DeleteService(treeId uint32, fileId, serviceHandle []byte, callId uint32) (err error)

smb->删除服务

func (*SMBClient) FileUpload 

func (c *SMBClient) FileUpload(file, Path string) (filename string, err error)

smb->上传文件,返回文件名

func (*SMBClient) MSRPCBind 

func (c *SMBClient) MSRPCBind(treeId uint32, fileId []byte, uuid string, version uint32) (err error)

smb->函数绑定

func (*SMBClient) OpenService 

func (c *SMBClient) OpenService(treeId uint32, fileId, contextHandle []byte, servicename string, callId uint32) (err error)

smb->打开服务

func (*SMBClient) OpenSvcManager 

func (c *SMBClient) OpenSvcManager(treeId, callId uint32) (fileid, handler []byte, err error)

smb->打开scm,返回scm服务句柄

func (*SMBClient) ServiceDelete 

func (c *SMBClient) ServiceDelete(serviceHandle []byte) (err error)

服务删除

func (*SMBClient) ServiceInstall 

func (c *SMBClient) ServiceInstall(servicename, file, path string) (service string, servicehandle []byte, err error)

服务安装

func (*SMBClient) StartService 

func (c *SMBClient) StartService(treeId uint32, fileId, serviceHandle []byte, callId uint32) (err error)

smb->启动服务

type ServerAlive2RequestStruct 

type ServerAlive2RequestStruct struct {
	MSRPCHeaderStruct
	AllocHint uint32
	ContextId uint16
	Opnum     uint16
}

ServerAlive2请求结构

func NewServerAlive2Request 

func NewServerAlive2Request() ServerAlive2RequestStruct

type ServerAlive2ResponseStruct 

type ServerAlive2ResponseStruct struct {
	MSRPCHeaderStruct
	AllocHint       uint32
	ContextId       uint16
	CancelCount     uint8
	Reserved        uint8
	VersionMajor    uint16
	VersionMinor    uint16
	Unknown         uint64
	PpdsaOrBindings AddressStruct
	Reserved2       uint64
}

func NewServerAlive2Response 

func NewServerAlive2Response() ServerAlive2ResponseStruct

type SyntaxIDStruct 

type SyntaxIDStruct struct {
	UUID    []byte `smb:"fixed:16"`
	Version uint32
}

type TCPClient 

type TCPClient struct {
	common.Client
}

func NewTCPSession 

func NewTCPSession(opt common.ClientOptions, debug bool) (client *TCPClient, err error)

tcp连接封装

func TCPTransport 

func TCPTransport() (client *TCPClient, err error)

func (*TCPClient) MSRPCBind 

func (c *TCPClient) MSRPCBind(uuid string, version uint32) (err error)

tcp->函数绑定

func (*TCPClient) ServerAlive2Request 

func (c *TCPClient) ServerAlive2Request(callId uint32) (address []string, err error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.