On Tue, 1 Jul 2003, John Lampe wrote: > Is there any nasl API for pulling SMB registry entries outside of HKLM? I > see the following in smb_nt.inc [...] > Which Michel documents as being renamed registry_open_hklm (or should > be)...So, is there any way to registry_open_hkcu, or any of the other hives? > I guess I can dump a remote HKCU session...but I don't want to have to :-/ Interesting data start at 0x05, 0x00: [RPC header] 0x05, 0x00, maj & min version 0x00, pkt_type (request) 0x03, flags 0x10, 0x00, 0x00, 0x00, data presentation 0x24, 0x00, frag_len 0x00, 0x00, auth_len 0x01, 0x00, 0x00, 0x00, call_id 0x0C, 0x00, 0x00, 0x00, alloc_hint 0x00, 0x00, context_id 0x02, 0x00, opnum [open H* payload] 0x10, 0xFF, 0x12, 0x00, ptr? 0x30, 0x39, ? 0x01, 0x00, ? 0x00, 0x00, 0x00, 0x02 access mask? Opnum 2 is open HKLM. Open HKCR is 0, open HKU is 4, everything you need in the RPC header to do is to change opnum. The payload is more problematic: its format is identical for all open ops but God knows whether the same set of magical constants can be used when a different open is performed. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
This archive was generated by hypermail 2b30 : Tue Jul 01 2003 - 15:22:49 PDT