Documentation
¶
Index ¶
- Constants
- type AddressStruct
- type AuthInfoByNTLMSSPStruct
- type CtxEItemResponseStruct
- type CtxItemStruct
- type EPMLookupRequestStruct
- type EPMLookupResponseStruct
- type EntryStruct
- type EntryTowerPointerStruct
- type MSRPCAuthByNTLMSSPBindStruct
- type MSRPCBindAckStruct
- type MSRPCBindStruct
- type MSRPCHeaderStruct
- type MSRPCRequestHeaderStruct
- func NewOpenSCManagerWRequest() MSRPCRequestHeaderStruct
- func NewRCloseServiceHandleRequest(contextHandle []byte) MSRPCRequestHeaderStruct
- func NewRCreateServiceWRequest(contextHandle []byte, servicename, uploadPathFile string) MSRPCRequestHeaderStruct
- func NewRDeleteServiceRequest(contextHandle []byte) MSRPCRequestHeaderStruct
- func NewROpenServiceWRequest(contextHandle []byte, servicename string) MSRPCRequestHeaderStruct
- func NewRStartServiceWRequest(contextHandle []byte) MSRPCRequestHeaderStruct
- type NTLMSecureServiceProviderStruct
- type NTLMVersion
- type OpenSCManagerWResponse
- type OpenSCManagerWStruct
- type RCloseServiceHandleRequestStruct
- type RCloseServiceHandleResponseStruct
- type RCreateServiceWRequestStruct
- type RCreateServiceWResponseStruct
- type RDeleteServiceRequestStruct
- type RDeleteServiceResponseStruct
- type ROpenServiceWRequestStruct
- type ROpenServiceWResponseStruct
- type RStartServiceWRequestStruct
- type RStartServiceWResponseStruct
- type ResolveOxid2RequestStruct
- type ResolveOxid2ResponseStruct
- type SMBClient
- func (c *SMBClient) CloseService(treeId uint32, fileId, serviceHandle []byte, callId uint32) error
- func (c *SMBClient) CreateService(treeId uint32, fileId, contextHandle []byte, ...) (handler []byte, err error)
- func (c *SMBClient) DeleteService(treeId uint32, fileId, serviceHandle []byte, callId uint32) (err error)
- func (c *SMBClient) FileUpload(file, Path string) (filename string, err error)
- func (c *SMBClient) MSRPCBind(treeId uint32, fileId []byte, callId uint32, ctxs []CtxItemStruct) (err error)
- func (c *SMBClient) OpenService(treeId uint32, fileId, contextHandle []byte, servicename string, callId uint32) (err error)
- func (c *SMBClient) OpenSvcManager(treeId, callId uint32) (fileid, handler []byte, err error)
- func (c *SMBClient) ServiceDelete(serviceHandle []byte) (err error)
- func (c *SMBClient) ServiceInstall(servicename, file, path string) (service string, servicehandle []byte, err error)
- func (c *SMBClient) StartService(treeId uint32, fileId, serviceHandle []byte, callId uint32) (err error)
- type ServerAlive2RequestStruct
- type ServerAlive2ResponseStruct
- type SyntaxIDStruct
- type TCPClient
- func (c *TCPClient) EPMLookupRequest(callId uint32) (res EPMLookupResponseStruct, err error)
- func (c *TCPClient) MSRPCAuthBind(callId uint32, ctxs []CtxItemStruct, auth AuthInfoByNTLMSSPStruct, ...) (err error)
- func (c *TCPClient) MSRPCBind(callId uint32, ctxs []CtxItemStruct) (res MSRPCBindAckStruct, err error)
- func (c *TCPClient) RpcBindEpmapper(callId uint32) (err error)
- func (c *TCPClient) RpcBindIOXIDResolver(callId uint32) (err error)
- func (c *TCPClient) ServerAlive2Request(callId uint32) (address []string, err error)
Constants ¶
View Source
const ( ResolveOxid = 0 SimplePing = 1 ComplexPing = 2 ServerAlive = 3 ResolveOxid2 = 4 ServerAlive2 = 5 )
RPC Opnum
View Source
const ( PDURequest = 0 PDUPing = 1 PDUResponse = 2 PDUFault = 3 PDUWorking = 4 PDUNoCall = 5 PDUReject = 6 PDUAck = 7 PDUCl_Cancel = 8 PDUFack = 9 PDUCancel_Ack = 10 PDUBind = 11 PDUBind_Ack = 12 PDUBind_Nak = 13 PDUAlter_Context = 14 PDUAlter_Context_Resp = 15 PDUShutdown = 17 PDUCo_Cancel = 18 PDUOrphaned = 19 )
PDU PacketType https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm
View Source
const ( //PDUFlagReserved_01 = 0x01 FirstFrag = 0x01 LastFrag = 0x02 //PDUFlagLastFrag = 0x02 PDUFlagPending = 0x03 CancelPending = 0x04 //PDUFlagFrag = 0x04 PDUFlagNoFack = 0x08 PDUFlagMayBe = 0x10 PDUFlagIdemPotent = 0x20 PDUFlagBroadcast = 0x40 PDUFlagReserved_80 = 0x80 )
PDU PacketFlags https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm
View Source
const ( SERVICE_ALL_ACCESS = 0x000F01FF SC_MANAGER_CREATE_SERVICE = 0x00000002 SC_MANAGER_CONNECT = 0x00000001 )
View Source
const ( RCloseServiceHandle = 0 RControlService = 1 RDeleteService = 2 RLockServiceDatabase = 3 RQueryServiceObjectSecurity = 4 RSetServiceObjectSecurity = 5 RQueryServiceStatus = 6 RSetServiceStatus = 7 RUnlockServiceDatabase = 8 RNotifyBootConfigStatus = 9 RChangeServiceConfigW = 11 RCreateServiceW = 12 REnumDependentServicesW = 13 REnumServicesStatusW = 14 ROpenSCManagerW = 15 ROpenServiceW = 16 RQueryServiceConfigW = 17 RQueryServiceLockStatusW = 18 RStartServiceW = 19 RGetServiceDisplayNameW = 20 RGetServiceKeyNameW = 21 RChangeServiceConfigA = 23 RCreateServiceA = 24 REnumDependentServicesA = 25 REnumServicesStatusA = 26 ROpenSCManagerA = 27 ROpenServiceA = 28 RQueryServiceConfigA = 29 RQueryServiceLockStatusA = 30 RStartServiceA = 31 RGetServiceDisplayNameA = 32 RGetServiceKeyNameA = 33 REnumServiceGroupW = 35 RChangeServiceConfig2A = 36 RChangeServiceConfig2W = 37 RQueryServiceConfig2A = 38 RQueryServiceConfig2W = 39 RQueryServiceStatusEx = 40 REnumServicesStatusExA = 41 REnumServicesStatusExW = 42 RCreateServiceWOW64A = 44 RCreateServiceWOW64W = 45 RNotifyServiceStatusChange = 47 RGetNotifyResults = 48 RCloseNotifyHandle = 49 RControlServiceExA = 50 RControlServiceExW = 51 RQueryServiceConfigEx = 56 RCreateWowService = 60 ROpenSCManager2 = 64 )
View Source
const ( SERVICE_KERNEL_DRIVER = 0x00000001 SERVICE_FILE_SYSTEM_DRIVER = 0x00000002 SERVICE_WIN32_OWN_PROCESS = 0x00000010 SERVICE_WIN32_SHARE_PROCESS = 0x00000020 SERVICE_INTERACTIVE_PROCESS = 0x00000100 )
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/6a8ca926-9477-4dd4-b766-692fab07227e dwServiceType 类型
View Source
const ( SERVICE_BOOT_START = 0x00000000 SERVICE_SYSTEM_START = 0x00000001 SERVICE_AUTO_START = 0x00000002 SERVICE_DEMAND_START = 0x00000003 SERVICE_DISABLED = 0x00000004 )
dwStartType类型
View Source
const ( SERVICE_ERROR_IGNORE = 0x00000000 SERVICE_ERROR_NORMAL = 0x00000001 SERVICE_ERROR_SEVERE = 0x00000002 SERVICE_ERROR_CRITICAL = 0x00000003 )
dwErrorControl类型
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthInfoByNTLMSSPStruct ¶
type CtxEItemResponseStruct ¶
type CtxEItemResponseStruct struct {
AckResult uint16
AckReason uint16
TransferSyntax []byte `smb:"fixed:16"` //16字节
SyntaxVer uint32
}
PDU CtxItem响应结构
type CtxItemStruct ¶
type CtxItemStruct struct {
ContextId uint16
NumTransItems uint8
Reserved uint8
AbstractSyntax SyntaxIDStruct
TransferSyntax SyntaxIDStruct
}
PDU CtxItem结构
type EPMLookupRequestStruct ¶
type EPMLookupRequestStruct struct {
MSRPCHeaderStruct
AllocHint uint32 `smb:"len:EndpointMapperLookup"` // Endpoint Mapper lookup长度
ContextId uint16
Opnum uint16
EndpointMapperLookup endpointMapperLookup
}
lookup request请求结构
func NewEPMLookupRequest ¶
func NewEPMLookupRequest() EPMLookupRequestStruct
type EPMLookupResponseStruct ¶
type EPMLookupResponseStruct struct {
MSRPCHeaderStruct
AllocHint uint32
ContextId uint16
CancelCount uint8
Reserved uint8
// epm结构
EntryHandle []byte `smb:"fixed:20"`
NumEntries uint32
EntriesMaxCount uint32
EntriesOffset uint32
EntriesActualCount uint32
// 块结构
Entry []EntryStruct `smb:"value:EntriesActualCount"`
Reserved2 []byte `smb:"fixed:3"`
// 块的具体数据
EntryTowerPointer []EntryTowerPointerStruct `smb:"value:EntriesActualCount"`
ReturnCode uint32
}
func NewEPMLookupResponse ¶
func NewEPMLookupResponse() EPMLookupResponseStruct
type EntryStruct ¶
type EntryTowerPointerStruct ¶
type MSRPCAuthByNTLMSSPBindStruct ¶
type MSRPCAuthByNTLMSSPBindStruct struct {
MSRPCHeaderStruct
MaxXmitFrag uint16
MaxRecvFrag uint16
AssocGroup uint32
NumCtxItems uint8
Reserved uint8
Reserved2 uint16
CtxItems []CtxItemStruct
AuthInfo AuthInfoByNTLMSSPStruct
}
带认证的函数绑定请求结构
type MSRPCBindAckStruct ¶
type MSRPCBindAckStruct struct {
MSRPCHeaderStruct
MaxXmitFrag uint16
MaxRecvFrag uint16
AssocGroup uint32
ScndryAddrlen uint16
ScndryAddr []byte `smb:"count:ScndryAddrlen"` //取决管道的长度
NumResults uint8
CtxItem CtxEItemResponseStruct
}
函数绑定响应结构
type MSRPCBindStruct ¶
type MSRPCBindStruct struct {
MSRPCHeaderStruct
MaxXmitFrag uint16 //4字节,发送大小协商
MaxRecvFrag uint16 //4字节,接收大小协商
AssocGroup uint32 //客户端绑定服务端关联组
NumCtxItems uint8
Reserved uint8
Reserved2 uint16
CtxItems []CtxItemStruct //多个对象
}
函数绑定请求结构
type MSRPCHeaderStruct ¶
type MSRPCHeaderStruct struct {
Version uint8
VersionMinor uint8
PacketType uint8
PacketFlags uint8
DataRepresentation uint32 //4字节,小端排序,0x10
FragLength uint16 //2字节,整个结构的长度
AuthLength uint16
CallId uint32
}
MSRPC 标准头
func NewMSRPCHeader ¶
func NewMSRPCHeader() MSRPCHeaderStruct
type MSRPCRequestHeaderStruct ¶
type MSRPCRequestHeaderStruct struct {
MSRPCHeaderStruct
AllocHint uint32 `smb:"len:Buffer"` //Buffer的长度
ContextId uint16
OpNum uint16
Buffer interface{}
}
func NewOpenSCManagerWRequest ¶
func NewOpenSCManagerWRequest() MSRPCRequestHeaderStruct
OpenSCManagerW请求 DWORD ROpenSCManagerW(
[in, string, unique, range(0, SC_MAX_COMPUTER_NAME_LENGTH)] SVCCTL_HANDLEW lpMachineName, [in, string, unique, range(0, SC_MAX_NAME_LENGTH)] wchar_t* lpDatabaseName, [in] DWORD dwDesiredAccess, [out] LPSC_RPC_HANDLE lpScHandle );
lpMachineName:一种 SVCCTL_HANDLEW(第 2.2.3 节)数据类型,它定义指向以空字符结尾的 UNICODE 字符串的指针,该字符串指定服务器的机器名称。 lpDatabaseName:指向以空结尾的 UNICODE 字符串的指针,该字符串指定要打开的 SCM 数据库的名称。该参数必须设置为 NULL、“ServicesActive”或“ServicesFailed”。 dwDesiredAccess:一个值,指定对数据库的访问。这必须是第 3.1.4 节中指定的值之一。 客户端还必须具有 SC_MANAGER_CONNECT 访问权限。 lpScHandle:一种 LPSC_RPC_HANDLE 数据类型,用于定义新打开的 SCM 数据库的句柄。
func NewRCloseServiceHandleRequest ¶
func NewRCloseServiceHandleRequest(contextHandle []byte) MSRPCRequestHeaderStruct
初始化关闭服务句柄
func NewRCreateServiceWRequest ¶
func NewRCreateServiceWRequest(contextHandle []byte, servicename, uploadPathFile string) MSRPCRequestHeaderStruct
func NewRDeleteServiceRequest ¶
func NewRDeleteServiceRequest(contextHandle []byte) MSRPCRequestHeaderStruct
删除服务封装
func NewROpenServiceWRequest ¶
func NewROpenServiceWRequest(contextHandle []byte, servicename string) MSRPCRequestHeaderStruct
初始化打开服务请求
func NewRStartServiceWRequest ¶
func NewRStartServiceWRequest(contextHandle []byte) MSRPCRequestHeaderStruct
启动服务封装
type NTLMSecureServiceProviderStruct ¶
type NTLMSecureServiceProviderStruct struct {
NTLMSSPIdentifier []byte `smb:"fixed:8"`
NTLMMessageType uint32
NegotiateFlags uint32
DomainNameLen uint16 //`smb:"len:DomainName"`
DomainNameMaxLen uint16 //`smb:"len:DomainName"`
DomainNameBufferOffset uint32 //`smb:"offset:DomainName"` // 从NEGOTIATE_MESSAGE的开头到DomainName中的偏移量
WorkstationLen uint16 //`smb:"len:Workstation"`
WorkstationMaxLen uint16 //`smb:"len:Workstation"`
WorkstationBufferOffset uint32 //`smb:"offset:WorkstationName"` // 从NEGOTIATE_MESSAGE的开头到WorkstationName中的偏移量
Version NTLMVersion
WorkstationName []byte
DomainName []byte
}
ntlm ssp
type NTLMVersion ¶
type OpenSCManagerWResponse ¶
type OpenSCManagerWResponse struct {
MSRPCHeaderStruct
AllocHint uint32
ContextId uint16
CancelCount uint8
Reserved uint8
ContextHandle []byte `smb:"fixed:20"`
ReturnCode uint32
}
OpenSCManagerW响应结构
func NewOpenSCManagerWResponse ¶
func NewOpenSCManagerWResponse() OpenSCManagerWResponse
type OpenSCManagerWStruct ¶
type OpenSCManagerWStruct struct {
MachineName machineName
Database database
AccessMask uint32
}
type RCloseServiceHandleRequestStruct ¶
type RCloseServiceHandleRequestStruct struct {
ContextHandle []byte `smb:"fixed:20"`
}
关闭服务句柄
type RCloseServiceHandleResponseStruct ¶
type RCloseServiceHandleResponseStruct struct {
MSRPCHeaderStruct
AllocHint uint32
ContextId uint16
CancelCount uint8
Reserved uint8
ContextHandle []byte `smb:"fixed:20"`
ReturnCode uint32
}
func NewRCloseServiceHandleResponse ¶
func NewRCloseServiceHandleResponse() RCloseServiceHandleResponseStruct
type RCreateServiceWRequestStruct ¶
type RCreateServiceWRequestStruct struct {
ContextHandle []byte `smb:"fixed:20"` //OpenSCManagerW 句柄
ServiceName serviceName
DisplayName displayName
AccessMask uint32
ServiceType uint32
ServiceStartType uint32
ServiceErrorControl uint32
BinaryPathName binaryPathName
NULLPointer uint32
TagId uint32
NULLPointer2 uint32
DependSize uint32
NULLPointer3 uint32
NULLPointer4 uint32
PasswordSize uint32
}
type RCreateServiceWResponseStruct ¶
type RCreateServiceWResponseStruct struct {
MSRPCHeaderStruct
AllocHint uint32
ContextId uint16
CancelCount uint8
Reserved uint8
TagId uint32
ContextHandle []byte `smb:"fixed:20"`
ReturnCode uint32
}
RCreateServiceW响应结构
func NewRCreateServiceWResponse ¶
func NewRCreateServiceWResponse() RCreateServiceWResponseStruct
type RDeleteServiceRequestStruct ¶
type RDeleteServiceRequestStruct struct {
ContextHandle []byte `smb:"fixed:20"` //20字节,创建服务返回的句柄
}
type RDeleteServiceResponseStruct ¶
type RDeleteServiceResponseStruct struct {
MSRPCHeaderStruct
AllocHint uint32
ContextId uint16
CancelCount uint8
Reserved uint8
ReturnCode uint32
}
func NewRDeleteServiceResponse ¶
func NewRDeleteServiceResponse() RDeleteServiceResponseStruct
删除服务响应
type ROpenServiceWRequestStruct ¶
type ROpenServiceWResponseStruct ¶
type ROpenServiceWResponseStruct struct {
MSRPCHeaderStruct
AllocHint uint32
ContextId uint16
CancelCount uint8
Reserved uint8
ContextHandle []byte `smb:"fixed:20"`
ReturnCode uint32
}
func NewROpenServiceWResponse ¶
func NewROpenServiceWResponse() ROpenServiceWResponseStruct
type RStartServiceWRequestStruct ¶
type RStartServiceWResponseStruct ¶
type RStartServiceWResponseStruct struct {
MSRPCHeaderStruct
AllocHint uint32
ContextId uint16
CancelCount uint8
Reserved uint8
StubData uint32
}
func NewRStartServiceWResponse ¶
func NewRStartServiceWResponse() RStartServiceWResponseStruct
启动服务响应
type ResolveOxid2RequestStruct ¶
type ResolveOxid2RequestStruct struct {
// 一共32字节
OXID uint64
IpIdRemUnknown uint64
DwPid uint32
DwTid uint32
Reserved uint64
}
ResolveOxid2请求结构 https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/65292e10-ef0c-43ee-bce7-788e271cc794
type ResolveOxid2ResponseStruct ¶
type ResolveOxid2ResponseStruct struct {
Reserved uint64
Reserved2 uint16
IPID []byte `smb:"fixed:16"`
AuthnHint uint32
VersionMajor uint16
VersionMinor uint16
HResult uint32
// contains filtered or unexported fields
}
ResolveOxid2响应结构
type SMBClient ¶
func (*SMBClient) CloseService ¶
smb->关闭scm句柄
func (*SMBClient) CreateService ¶
func (c *SMBClient) CreateService(treeId uint32, fileId, contextHandle []byte, servicename, uploadPathFile string, callId uint32) (handler []byte, err error)
smb->创建服务,返回创建服务后的实例句柄
func (*SMBClient) DeleteService ¶
func (c *SMBClient) DeleteService(treeId uint32, fileId, serviceHandle []byte, callId uint32) (err error)
smb->删除服务
func (*SMBClient) FileUpload ¶
smb->上传文件,返回文件名
func (*SMBClient) MSRPCBind ¶
func (c *SMBClient) MSRPCBind(treeId uint32, fileId []byte, callId uint32, ctxs []CtxItemStruct) (err error)
smb->函数绑定
func (*SMBClient) OpenService ¶
func (c *SMBClient) OpenService(treeId uint32, fileId, contextHandle []byte, servicename string, callId uint32) (err error)
smb->打开服务
func (*SMBClient) OpenSvcManager ¶
smb->打开scm,返回scm服务句柄
func (*SMBClient) ServiceDelete ¶
服务删除
type ServerAlive2RequestStruct ¶
type ServerAlive2RequestStruct struct {
MSRPCHeaderStruct
AllocHint uint32
ContextId uint16
Opnum uint16
}
ServerAlive2请求结构
func NewServerAlive2Request ¶
func NewServerAlive2Request() ServerAlive2RequestStruct
type ServerAlive2ResponseStruct ¶
type ServerAlive2ResponseStruct struct {
MSRPCHeaderStruct
AllocHint uint32
ContextId uint16
CancelCount uint8
Reserved uint8
VersionMajor uint16
VersionMinor uint16
Unknown uint64
PpdsaOrBindings AddressStruct
Reserved2 uint64
}
func NewServerAlive2Response ¶
func NewServerAlive2Response() ServerAlive2ResponseStruct
type SyntaxIDStruct ¶
type TCPClient ¶
func NewTCPSession ¶
func NewTCPSession(opt common.ClientOptions, debug bool) (client *TCPClient, err error)
tcp连接封装
func (*TCPClient) EPMLookupRequest ¶
func (c *TCPClient) EPMLookupRequest(callId uint32) (res EPMLookupResponseStruct, err error)
func (*TCPClient) MSRPCAuthBind ¶
func (c *TCPClient) MSRPCAuthBind(callId uint32, ctxs []CtxItemStruct, auth AuthInfoByNTLMSSPStruct, assocGroup uint32, domainNameLen, workstationNameLen uint16) (err error)
带认证场景的msrpc绑定
func (*TCPClient) MSRPCBind ¶
func (c *TCPClient) MSRPCBind(callId uint32, ctxs []CtxItemStruct) (res MSRPCBindAckStruct, err error)
tcp->函数绑定
func (*TCPClient) RpcBindEpmapper ¶
绑定epmapper接口
func (*TCPClient) RpcBindIOXIDResolver ¶
绑定IOXIDResolver接口
Source Files
Click to show internal directories.
Click to hide internal directories.