tmp
/
samba


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321
							package smb

import (
	"go-impacket/pkg/smb/smb2"
)

// 此文件提供访问windows服务管理封装

// DCE/RPC 扩展头
// 调用win ms service control api
type PDUExtHeaderStruct struct {
	Version            uint8
	VersionMinor       uint8
	PacketType         uint8
	PacketFlags        uint8
	DataRepresentation uint32 //4字节，小端排序，0x10
	FragLength         uint16 //2字节，整个结构的长度
	AuthLength         uint16
	CallId             uint32
	AllocHint          uint32 `smb:"len:Buffer"` //Buffer的长度
	ContextId          uint16
	OpNum              uint16
	Buffer             interface{}
}

// ms service control
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/dc84adb3-d51d-48eb-820d-ba1c6ca5faf2
type OpenSCManagerWStruct struct {
	MachineName machineName
	Database    database
	AccessMask  uint32
}

type machineName struct {
	ReferentId  uint32 `smb:"offset:MachineName"`
	MaxCount    uint32
	Offset      uint32
	ActualCount uint32 //机器名的长度
	MachineName []byte //任意长度,unicode编码
	Reserved    uint16
}

type database struct {
	ReferentId  uint32 `smb:"offset:Database"`
	MaxCount    uint32
	Offset      uint32
	ActualCount uint32 //机器名的长度
	Database    []byte //任意长度,unicode编码
	Reserved    uint16
}

// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/0d7a7011-9f41-470d-ad52-8535b47ac282
// 安全描述符
const (
	SERVICE_ALL_ACCESS        = 0x000F01FF
	SC_MANAGER_CREATE_SERVICE = 0x00000002
	SC_MANAGER_CONNECT        = 0x00000001
)

// // OpenSCManagerW响应结构
// type OpenSCManagerWResponse struct {
// 	smb2.ReadResponseStruct
// 	Version            uint8
// 	VersionMinor       uint8
// 	PacketType         uint8
// 	PacketFlags        uint8
// 	DataRepresentation uint32
// 	FragLength         uint16
// 	AuthLength         uint16
// 	CallId             uint32
// 	AllocHint          uint32
// 	ContextId          uint16
// 	CancelCount        uint8
// 	Reserved           uint8
// 	ContextHandle      []byte `smb:"fixed:20"`
// 	ReturnCode         uint32
// }

// opnum
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/0d7a7011-9f41-470d-ad52-8535b47ac282
const (
	RCloseServiceHandle         = 0
	RControlService             = 1
	RDeleteService              = 2
	RLockServiceDatabase        = 3
	RQueryServiceObjectSecurity = 4
	RSetServiceObjectSecurity   = 5
	RQueryServiceStatus         = 6
	RSetServiceStatus           = 7
	RUnlockServiceDatabase      = 8
	RNotifyBootConfigStatus     = 9
	RChangeServiceConfigW       = 11
	RCreateServiceW             = 12
	REnumDependentServicesW     = 13
	REnumServicesStatusW        = 14
	ROpenSCManagerW             = 15
	ROpenServiceW               = 16
	RQueryServiceConfigW        = 17
	RQueryServiceLockStatusW    = 18
	RStartServiceW              = 19
	RGetServiceDisplayNameW     = 20
	RGetServiceKeyNameW         = 21
	RChangeServiceConfigA       = 23
	RCreateServiceA             = 24
	REnumDependentServicesA     = 25
	REnumServicesStatusA        = 26
	ROpenSCManagerA             = 27
	ROpenServiceA               = 28
	RQueryServiceConfigA        = 29
	RQueryServiceLockStatusA    = 30
	RStartServiceA              = 31
	RGetServiceDisplayNameA     = 32
	RGetServiceKeyNameA         = 33
	REnumServiceGroupW          = 35
	RChangeServiceConfig2A      = 36
	RChangeServiceConfig2W      = 37
	RQueryServiceConfig2A       = 38
	RQueryServiceConfig2W       = 39
	RQueryServiceStatusEx       = 40
	REnumServicesStatusExA      = 41
	REnumServicesStatusExW      = 42
	RCreateServiceWOW64A        = 44
	RCreateServiceWOW64W        = 45
	RNotifyServiceStatusChange  = 47
	RGetNotifyResults           = 48
	RCloseNotifyHandle          = 49
	RControlServiceExA          = 50
	RControlServiceExW          = 51
	RQueryServiceConfigEx       = 56
	RCreateWowService           = 60
	ROpenSCManager2             = 64
)

// func NewOpenSCManagerWResponse() OpenSCManagerWResponse {
// 	return OpenSCManagerWResponse{
// 		ContextHandle: make([]byte, 20),
// 	}
// }

// 打开服务
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/6d0a4225-451b-4132-894d-7cef7aecfd2d
type ROpenServiceWRequestStruct struct {
	ContextHandle []byte `smb:"fixed:20"` //OpenSCManagerW 句柄
	ServiceName   serviceName
	//Reserved      uint8
	AccessMask uint32
}

type ROpenServiceWResponseStruct struct {
	smb2.ReadResponseStruct
	Version            uint8
	VersionMinor       uint8
	PacketType         uint8
	PacketFlags        uint8
	DataRepresentation uint32
	FragLength         uint16
	AuthLength         uint16
	CallId             uint32
	AllocHint          uint32
	ContextId          uint16
	CancelCount        uint8
	Reserved           uint8
	ContextHandle      []byte `smb:"fixed:20"`
	ReturnCode         uint32
}

// func NewROpenServiceWResponse() ROpenServiceWResponseStruct {
// 	return ROpenServiceWResponseStruct{
// 		ContextHandle: make([]byte, 20),
// 	}
// }

// 创建服务
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/6a8ca926-9477-4dd4-b766-692fab07227e
type RCreateServiceWRequestStruct struct {
	ContextHandle       []byte `smb:"fixed:20"` //OpenSCManagerW 句柄
	ServiceName         serviceName
	DisplayName         displayName
	AccessMask          uint32
	ServiceType         uint32
	ServiceStartType    uint32
	ServiceErrorControl uint32
	BinaryPathName      binaryPathName
	NULLPointer         uint32
	TagId               uint32
	NULLPointer2        uint32
	DependSize          uint32
	NULLPointer3        uint32
	NULLPointer4        uint32
	PasswordSize        uint32
}

type serviceName struct {
	MaxCount    uint32
	Offset      uint32
	ActualCount uint32
	ServiceName []byte
	Reserved    uint16
}

type displayName struct {
	ReferentId  uint32 `smb:"offset:DisplayName"`
	MaxCount    uint32
	Offset      uint32
	ActualCount uint32
	DisplayName []byte
	Reserved    uint16
}

type binaryPathName struct {
	MaxCount       uint32
	Offset         uint32
	ActualCount    uint32
	BinaryPathName []byte `smb:"fixed:26"` // 长度不能超过26字节
}

// RCreateServiceW响应结构
type RCreateServiceWResponseStruct struct {
	smb2.ReadResponseStruct
	Version            uint8
	VersionMinor       uint8
	PacketType         uint8
	PacketFlags        uint8
	DataRepresentation uint32
	FragLength         uint16
	AuthLength         uint16
	CallId             uint32
	AllocHint          uint32
	ContextId          uint16
	CancelCount        uint8
	Reserved           uint8
	TagId              uint32
	ContextHandle      []byte `smb:"fixed:20"`
	ReturnCode         uint32
}

// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/6a8ca926-9477-4dd4-b766-692fab07227e
// dwServiceType 类型
const (
	SERVICE_KERNEL_DRIVER       = 0x00000001
	SERVICE_FILE_SYSTEM_DRIVER  = 0x00000002
	SERVICE_WIN32_OWN_PROCESS   = 0x00000010
	SERVICE_WIN32_SHARE_PROCESS = 0x00000020
	SERVICE_INTERACTIVE_PROCESS = 0x00000100
)

// dwStartType类型
const (
	SERVICE_BOOT_START   = 0x00000000
	SERVICE_SYSTEM_START = 0x00000001
	SERVICE_AUTO_START   = 0x00000002
	SERVICE_DEMAND_START = 0x00000003
	SERVICE_DISABLED     = 0x00000004
)

// dwErrorControl类型
const (
	SERVICE_ERROR_IGNORE   = 0x00000000
	SERVICE_ERROR_NORMAL   = 0x00000001
	SERVICE_ERROR_SEVERE   = 0x00000002
	SERVICE_ERROR_CRITICAL = 0x00000003
)

// 启动服务
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/d9be95a2-cf01-4bdc-b30f-6fe4b37ada16
type RStartServiceWRequestStruct struct {
	ContextHandle []byte `smb:"fixed:20"` //20字节，创建服务返回的句柄
	Argc          uint32 //argv字符串数量
	Argv          []byte `smb:"fixed:4"` //4字节，unicode对象指针
}

type RStartServiceWResponseStruct struct {
	smb2.ReadResponseStruct
	Version            uint8
	VersionMinor       uint8
	PacketType         uint8
	PacketFlags        uint8
	DataRepresentation uint32
	FragLength         uint16
	AuthLength         uint16
	CallId             uint32
	AllocHint          uint32
	ContextId          uint16
	CancelCount        uint8
	Reserved           uint8
	StubData           uint32
}

// 启动服务响应封装
func NewRStartServiceWResponse() RStartServiceWResponseStruct {
	return RStartServiceWResponseStruct{}
}

// 关闭服务句柄
type RCloseServiceHandleRequestStruct struct {
	ContextHandle []byte `smb:"fixed:20"`
}

type RCloseServiceHandleResponseStruct struct {
	smb2.ReadResponseStruct
	Version            uint8
	VersionMinor       uint8
	PacketType         uint8
	PacketFlags        uint8
	DataRepresentation uint32
	FragLength         uint16
	AuthLength         uint16
	CallId             uint32
	AllocHint          uint32
	ContextId          uint16
	CancelCount        uint8
	Reserved           uint8
	ContextHandle      []byte `smb:"fixed:20"`
	ReturnCode         uint32
}

func NewRCloseServiceHandleResponse() RCloseServiceHandleResponseStruct {
	return RCloseServiceHandleResponseStruct{
		ContextHandle: make([]byte, 20),
	}
}