Land #259, Update and refactor Efsrpc

lib/ruby_smb/dcerpc.rb

@@ -48,6 +48,8 @@ module Dcerpc
     require 'ruby_smb/dcerpc/sec_trailer'
     require 'ruby_smb/dcerpc/dfsnm'
     require 'ruby_smb/dcerpc/icpr'
+    require 'ruby_smb/dcerpc/efsrpc'
+    require 'ruby_smb/dcerpc/lsarpc'
     require 'ruby_smb/dcerpc/request'
     require 'ruby_smb/dcerpc/response'
     require 'ruby_smb/dcerpc/rpc_auth3'
@@ -60,7 +62,6 @@ module Dcerpc
     require 'ruby_smb/dcerpc/bind_ack'
     require 'ruby_smb/dcerpc/alter_context_resp'
     require 'ruby_smb/dcerpc/print_system'
-    require 'ruby_smb/dcerpc/encrypting_file_system'
 
     # Initialize the auth provider using NTLM. This function should be overriden for other providers (e.g. Kerberos, etc.)
     # @raise ArgumentError If @ntlm_client isn't initialized with a username and password.

lib/ruby_smb/dcerpc/encrypting_file_system.rb → lib/ruby_smb/dcerpc/efsrpc.rb

@@ -1,6 +1,6 @@
 module RubySMB
   module Dcerpc
-    module EncryptingFileSystem
+    module Efsrpc
       # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/403c7ae0-1a3a-4e96-8efc-54e79a2cc451
       UUID = EFSRPC_UUID = 'df1941c5-fe89-4e79-bf10-463657acf44d'.freeze
       LSARPC_UUID = 'c681d488-d850-11d0-8c52-00c04fd90f7e'.freeze
@@ -81,16 +81,16 @@ class EncryptionCertificateHashListPtr < EncryptionCertificateHashList
         extend Ndr::PointerClassPlugin
       end
 
-      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_decrypt_file_srv_request'
-      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_decrypt_file_srv_response'
-      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_encrypt_file_srv_request'
-      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_encrypt_file_srv_response'
-      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_open_file_raw_request'
-      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_open_file_raw_response'
-      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_recover_agents_request'
-      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_recover_agents_response'
-      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_users_on_file_request'
-      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_users_on_file_response'
+      require 'ruby_smb/dcerpc/efsrpc/efs_rpc_decrypt_file_srv_request'
+      require 'ruby_smb/dcerpc/efsrpc/efs_rpc_decrypt_file_srv_response'
+      require 'ruby_smb/dcerpc/efsrpc/efs_rpc_encrypt_file_srv_request'
+      require 'ruby_smb/dcerpc/efsrpc/efs_rpc_encrypt_file_srv_response'
+      require 'ruby_smb/dcerpc/efsrpc/efs_rpc_open_file_raw_request'
+      require 'ruby_smb/dcerpc/efsrpc/efs_rpc_open_file_raw_response'
+      require 'ruby_smb/dcerpc/efsrpc/efs_rpc_query_recovery_agents_request'
+      require 'ruby_smb/dcerpc/efsrpc/efs_rpc_query_recovery_agents_response'
+      require 'ruby_smb/dcerpc/efsrpc/efs_rpc_query_users_on_file_request'
+      require 'ruby_smb/dcerpc/efsrpc/efs_rpc_query_users_on_file_response'
     end
   end
 end

lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_decrypt_file_srv_request.rb → lib/ruby_smb/dcerpc/efsrpc/efs_rpc_decrypt_file_srv_request.rb

@@ -1,6 +1,6 @@
 module RubySMB
   module Dcerpc
-    module EncryptingFileSystem
+    module Efsrpc
 
       # [3.1.4.2.6 Receiving an EfsRpcDecryptFileSrv Message (Opnum 5)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/043715de-caee-402a-a61b-921743337e78)
       class EfsRpcDecryptFileSrvRequest < BinData::Record

lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_decrypt_file_srv_response.rb → lib/ruby_smb/dcerpc/efsrpc/efs_rpc_decrypt_file_srv_response.rb

@@ -1,6 +1,6 @@
 module RubySMB
   module Dcerpc
-    module EncryptingFileSystem
+    module Efsrpc
 
       # [3.1.4.2.6 Receiving an EfsRpcDecryptFileSrv Message (Opnum 5)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/043715de-caee-402a-a61b-921743337e78)
       class EfsRpcDecryptFileSrvResponse < BinData::Record

lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_encrypt_file_srv_request.rb → lib/ruby_smb/dcerpc/efsrpc/efs_rpc_encrypt_file_srv_request.rb

@@ -1,6 +1,6 @@
 module RubySMB
   module Dcerpc
-    module EncryptingFileSystem
+    module Efsrpc
 
       # [3.1.4.2.5 EfsRpcEncryptFileSrv (Opnum 4)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/0d599976-758c-4dbd-ac8c-c9db2a922d76)
       class EfsRpcEncryptFileSrvRequest < BinData::Record

lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_encrypt_file_srv_response.rb → lib/ruby_smb/dcerpc/efsrpc/efs_rpc_encrypt_file_srv_response.rb

@@ -1,6 +1,6 @@
 module RubySMB
   module Dcerpc
-    module EncryptingFileSystem
+    module Efsrpc
 
       # [3.1.4.2.5 EfsRpcEncryptFileSrv (Opnum 4)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/0d599976-758c-4dbd-ac8c-c9db2a922d76)
       class EfsRpcEncryptFileSrvResponse < BinData::Record

lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_open_file_raw_request.rb → lib/ruby_smb/dcerpc/efsrpc/efs_rpc_open_file_raw_request.rb

@@ -1,6 +1,6 @@
 module RubySMB
   module Dcerpc
-    module EncryptingFileSystem
+    module Efsrpc
 
       # [3.1.4.2.1 EfsRpcOpenFileRaw (Opnum 0)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/ccc4fb75-1c86-41d7-bbc4-b278ec13bfb8)
       class EfsRpcOpenFileRawRequest < BinData::Record

lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_open_file_raw_response.rb → lib/ruby_smb/dcerpc/efsrpc/efs_rpc_open_file_raw_response.rb

@@ -1,6 +1,6 @@
 module RubySMB
   module Dcerpc
-    module EncryptingFileSystem
+    module Efsrpc
 
       # [3.1.4.2.1 EfsRpcOpenFileRaw (Opnum 0)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/ccc4fb75-1c86-41d7-bbc4-b278ec13bfb8)
       class EfsRpcOpenFileRawResponse < BinData::Record

lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_recover_agents_request.rb → lib/ruby_smb/dcerpc/efsrpc/efs_rpc_query_recovery_agents_request.rb

@@ -1,6 +1,6 @@
 module RubySMB
   module Dcerpc
-    module EncryptingFileSystem
+    module Efsrpc
 
       # [3.1.4.2.8 Receiving an EfsRpcQueryRecoveryAgents Message (Opnum 7)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/cf759c00-1b90-4c33-9ace-f51c20149cea)
       class EfsRpcQueryRecoveryAgentsRequest < BinData::Record

lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_recover_agents_response.rb → lib/ruby_smb/dcerpc/efsrpc/efs_rpc_query_recovery_agents_response.rb

@@ -1,6 +1,6 @@
 module RubySMB
   module Dcerpc
-    module EncryptingFileSystem
+    module Efsrpc
 
       # [3.1.4.2.8 Receiving an EfsRpcQueryRecoveryAgents Message (Opnum 7)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/cf759c00-1b90-4c33-9ace-f51c20149cea)
       class EfsRpcQueryRecoveryAgentsResponse < BinData::Record

lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_users_on_file_request.rb → lib/ruby_smb/dcerpc/efsrpc/efs_rpc_query_users_on_file_request.rb

@@ -1,6 +1,6 @@
 module RubySMB
   module Dcerpc
-    module EncryptingFileSystem
+    module Efsrpc
 
       # [3.1.4.2.7 Receiving an EfsRpcQueryUsersOnFile Message (Opnum 6)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/a058dc6c-bb7e-491c-9143-a5cb1f7e7cea)
       class EfsRpcQueryUsersOnFileRequest < BinData::Record

lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_users_on_file_response.rb → lib/ruby_smb/dcerpc/efsrpc/efs_rpc_query_users_on_file_response.rb

@@ -1,6 +1,6 @@
 module RubySMB
   module Dcerpc
-    module EncryptingFileSystem
+    module Efsrpc
 
       # [3.1.4.2.7 Receiving an EfsRpcQueryUsersOnFile Message (Opnum 6)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/a058dc6c-bb7e-491c-9143-a5cb1f7e7cea)
       class EfsRpcQueryUsersOnFileResponse < BinData::Record

lib/ruby_smb/dcerpc/lsarpc.rb

@@ -0,0 +1,11 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dssp/6f843846-2494-4d49-b715-2f181317dd34
+      UUID = 'c681d488-d850-11d0-8c52-00c04fd90f7e'.freeze
+      VER_MAJOR = 1
+      VER_MINOR = 0
+
+    end
+  end
+end

lib/ruby_smb/dcerpc/request.rb

@@ -101,6 +101,13 @@ class Request < BinData::Record
           cert_server_request_request      Icpr::CERT_SERVER_REQUEST
           string                           :default
         end
+        choice 'Efsrpc', selection: -> { opnum } do
+          efs_rpc_decrypt_file_srv_request      Efsrpc::EFS_RPC_DECRYPT_FILE_SRV
+          efs_rpc_encrypt_file_srv_request      Efsrpc::EFS_RPC_ENCRYPT_FILE_SRV
+          efs_rpc_open_file_raw_request         Efsrpc::EFS_RPC_OPEN_FILE_RAW
+          efs_rpc_query_recovery_agents_request Efsrpc::EFS_RPC_QUERY_RECOVERY_AGENTS
+          efs_rpc_query_users_on_file_request   Efsrpc::EFS_RPC_QUERY_USERS_ON_FILE
+        end
         string :default
       end
 

lib/ruby_smb/dcerpc/uuid.rb

@@ -22,8 +22,8 @@ def get
       end
 
       def set(uuid_string)
-        uuid_string.delete_suffix!('}')
-        uuid_string.delete_prefix!('{')
+        uuid_string = uuid_string.delete_suffix('}')
+        uuid_string = uuid_string.delete_prefix('{')
         components = uuid_string.split('-')
         self.time_low.read(to_binary_le(components[0]))
         self.time_mid.read(to_binary_le(components[1]))

lib/ruby_smb/smb1/pipe.rb

@@ -28,10 +28,14 @@ def initialize(tree:, response:, name:)
           extend RubySMB::Dcerpc::Samr
         when 'wkssvc', '\\wkssvc'
           extend RubySMB::Dcerpc::Wkssvc
+        when 'lsarpc', '\\lsarpc'
+          extend RubySMB::Dcerpc::Lsarpc
         when 'netdfs', '\\netdfs'
           extend RubySMB::Dcerpc::Dfsnm
         when 'cert', '\\cert'
           extend RubySMB::Dcerpc::Icpr
+        when 'efsrpc', '\\efsrpc'
+          extend RubySMB::Dcerpc::Efsrpc
         end
         super(tree: tree, response: response, name: name)
       end

lib/ruby_smb/smb2/pipe.rb

@@ -25,10 +25,14 @@ def initialize(tree:, response:, name:)
           extend RubySMB::Dcerpc::Samr
         when 'wkssvc', '\\wkssvc'
           extend RubySMB::Dcerpc::Wkssvc
+        when 'lsarpc', '\\lsarpc'
+          extend RubySMB::Dcerpc::Lsarpc
         when 'netdfs', '\\netdfs'
           extend RubySMB::Dcerpc::Dfsnm
         when 'cert', '\\cert'
           extend RubySMB::Dcerpc::Icpr
+        when 'efsrpc', '\\efsrpc'
+          extend RubySMB::Dcerpc::Efsrpc
         end
         super(tree: tree, response: response, name: name)
       end

spec/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_encrypt_file_srv_request_spec.rb

@@ -1,4 +1,4 @@
-RSpec.describe RubySMB::Dcerpc::EncryptingFileSystem::EfsRpcEncryptFileSrvRequest do
+RSpec.describe RubySMB::Dcerpc::Efsrpc::EfsRpcEncryptFileSrvRequest do
   subject(:packet) { described_class.new }
 
   it { is_expected.to respond_to :file_name }
@@ -15,7 +15,7 @@
 
   describe '#initialize_instance' do
     it 'sets #opnum to EFS_RPC_ENCRYPT_FILE_SRV constant' do
-      expect(packet.opnum).to eq(RubySMB::Dcerpc::EncryptingFileSystem::EFS_RPC_ENCRYPT_FILE_SRV)
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Efsrpc::EFS_RPC_ENCRYPT_FILE_SRV)
     end
   end
 

spec/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_encrypt_file_srv_response_spec.rb

@@ -1,4 +1,4 @@
-RSpec.describe RubySMB::Dcerpc::EncryptingFileSystem::EfsRpcEncryptFileSrvResponse do
+RSpec.describe RubySMB::Dcerpc::Efsrpc::EfsRpcEncryptFileSrvResponse do
   subject(:packet) { described_class.new }
 
   it { is_expected.to respond_to :error_status }
@@ -15,7 +15,7 @@
 
   describe '#initialize_instance' do
     it 'sets #opnum to EFS_RPC_ENCRYPT_FILE_SRV constant' do
-      expect(packet.opnum).to eq(RubySMB::Dcerpc::EncryptingFileSystem::EFS_RPC_ENCRYPT_FILE_SRV)
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Efsrpc::EFS_RPC_ENCRYPT_FILE_SRV)
     end
   end
 

spec/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_open_file_raw_request_spec.rb

@@ -1,4 +1,4 @@
-RSpec.describe RubySMB::Dcerpc::EncryptingFileSystem::EfsRpcOpenFileRawRequest do
+RSpec.describe RubySMB::Dcerpc::Efsrpc::EfsRpcOpenFileRawRequest do
   subject(:packet) { described_class.new }
 
   it { is_expected.to respond_to :file_name }
@@ -22,7 +22,7 @@
 
   describe '#initialize_instance' do
     it 'sets #opnum to EFS_RPC_OPEN_FILE_RAW constant' do
-      expect(packet.opnum).to eq(RubySMB::Dcerpc::EncryptingFileSystem::EFS_RPC_OPEN_FILE_RAW)
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Efsrpc::EFS_RPC_OPEN_FILE_RAW)
     end
   end
 

spec/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_open_file_raw_response_spec.rb

@@ -1,4 +1,4 @@
-RSpec.describe RubySMB::Dcerpc::EncryptingFileSystem::EfsRpcOpenFileRawResponse do
+RSpec.describe RubySMB::Dcerpc::Efsrpc::EfsRpcOpenFileRawResponse do
   subject(:packet) { described_class.new }
 
   it { is_expected.to respond_to :h_context }
@@ -22,7 +22,7 @@
 
   describe '#initialize_instance' do
     it 'sets #opnum to EFS_RPC_OPEN_FILE_RAW constant' do
-      expect(packet.opnum).to eq(RubySMB::Dcerpc::EncryptingFileSystem::EFS_RPC_OPEN_FILE_RAW)
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Efsrpc::EFS_RPC_OPEN_FILE_RAW)
     end
   end