diff --git a/format/pyrdp/pdu/client_info.go b/format/pyrdp/pdu/client_info.go index 38e78b0b..19181ec1 100644 --- a/format/pyrdp/pdu/client_info.go +++ b/format/pyrdp/pdu/client_info.go @@ -114,5 +114,5 @@ func decodeFlagsFn(d *decode.D) { d.FieldBool("reserved2") d.FieldBool("hidef_rail_supported") - d.SeekRel(int64(d.Pos()) % 31) + d.SeekRel(d.Pos() % 31) } diff --git a/format/pyrdp/pdu/clipboard_data.go b/format/pyrdp/pdu/clipboard_data.go index f40d0a35..92d4f379 100644 --- a/format/pyrdp/pdu/clipboard_data.go +++ b/format/pyrdp/pdu/clipboard_data.go @@ -60,9 +60,13 @@ func ParseClipboardData(d *decode.D, length int64) { d.FieldU16("msg_flags", cbFlagsMap) data_length := d.FieldU32("data_len") - if _, ok := cbParseFnMap[msg_type]; ok { - cbParseFnMap[msg_type].(func(d *decode.D, length uint64))(d, data_length) - return + cbParser, ok := cbParseFnMap[msg_type] + if ok { + parseFn, ok := cbParser.(func(d *decode.D, length uint64)) + if ok { + parseFn(d, data_length) + return + } } // Assert() once all functions are implemented. d.FieldRawLen("data", int64(data_length*8)) diff --git a/format/pyrdp/pdu/fastpath_input.go b/format/pyrdp/pdu/fastpath_input.go index a557553a..c2307bf1 100644 --- a/format/pyrdp/pdu/fastpath_input.go +++ b/format/pyrdp/pdu/fastpath_input.go @@ -22,32 +22,33 @@ const ( FASTPATH_INPUT_EVENT_QOE_TIMESTAMP = 6 ) -var eventCodesMap = scalar.UintMapSymStr{ - FASTPATH_INPUT_EVENT_SCANCODE: "fastpath_input_event_scancode", - FASTPATH_INPUT_EVENT_MOUSE: "fastpath_input_event_mouse", - FASTPATH_INPUT_EVENT_MOUSEX: "fastpath_input_event_mousex", - FASTPATH_INPUT_EVENT_SYNC: "fastpath_input_event_sync", - FASTPATH_INPUT_EVENT_UNICODE: "fastpath_input_event_unicode", - FASTPATH_INPUT_EVENT_QOE_TIMESTAMP: "fastpath_input_event_qoe_timestamp", -} +// commented because unused but we should use one-day +//var eventCodesMap = scalar.UintMapSymStr{ +// FASTPATH_INPUT_EVENT_SCANCODE: "fastpath_input_event_scancode", +// FASTPATH_INPUT_EVENT_MOUSE: "fastpath_input_event_mouse", +// FASTPATH_INPUT_EVENT_MOUSEX: "fastpath_input_event_mousex", +// FASTPATH_INPUT_EVENT_SYNC: "fastpath_input_event_sync", +// FASTPATH_INPUT_EVENT_UNICODE: "fastpath_input_event_unicode", +// FASTPATH_INPUT_EVENT_QOE_TIMESTAMP: "fastpath_input_event_qoe_timestamp", +//} -var eventFnMap = map[int]interface{}{ - FASTPATH_INPUT_EVENT_SCANCODE: parseFastpathInputEventScancode, - FASTPATH_INPUT_EVENT_MOUSE: parseFastpathInputEventMouse, - FASTPATH_INPUT_EVENT_MOUSEX: parseFastpathInputEventMousex, - FASTPATH_INPUT_EVENT_SYNC: parseFastpathInputEventSync, - FASTPATH_INPUT_EVENT_UNICODE: parseFastpathInputEventUnicode, - FASTPATH_INPUT_EVENT_QOE_TIMESTAMP: parseFastpathInputEventQoeTimestamp, -} +//var eventFnMap = map[int]interface{}{ +// FASTPATH_INPUT_EVENT_SCANCODE: parseFastpathInputEventScancode, +// FASTPATH_INPUT_EVENT_MOUSE: parseFastpathInputEventMouse, +// FASTPATH_INPUT_EVENT_MOUSEX: parseFastpathInputEventMousex, +// FASTPATH_INPUT_EVENT_SYNC: parseFastpathInputEventSync, +// FASTPATH_INPUT_EVENT_UNICODE: parseFastpathInputEventUnicode, +// FASTPATH_INPUT_EVENT_QOE_TIMESTAMP: parseFastpathInputEventQoeTimestamp, +//} -var fastPathInputEventLengthsMap = map[int]int{ - FASTPATH_INPUT_EVENT_SCANCODE: 2, - FASTPATH_INPUT_EVENT_MOUSE: 7, - FASTPATH_INPUT_EVENT_MOUSEX: 7, - FASTPATH_INPUT_EVENT_SYNC: 1, - FASTPATH_INPUT_EVENT_UNICODE: 3, - FASTPATH_INPUT_EVENT_QOE_TIMESTAMP: 5, -} +//var fastPathInputEventLengthsMap = map[int]int{ +// FASTPATH_INPUT_EVENT_SCANCODE: 2, +// FASTPATH_INPUT_EVENT_MOUSE: 7, +// FASTPATH_INPUT_EVENT_MOUSEX: 7, +// FASTPATH_INPUT_EVENT_SYNC: 1, +// FASTPATH_INPUT_EVENT_UNICODE: 3, +// FASTPATH_INPUT_EVENT_QOE_TIMESTAMP: 5, +//} func ParseFastPathInput(d *decode.D, length int64) { d.FieldStruct("fastpath_input", func(d *decode.D) { @@ -98,30 +99,31 @@ func ParseFastPathInput(d *decode.D, length int64) { }) } -func parseFastpathInputEventScancode(d *decode.D) { - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/089d362b-31eb-4a1a-b6fa-92fe61bb5dbf - d.FieldU8("key_code", charMapper) -} +//commented because unused but we should use one-day +//func parseFastpathInputEventScancode(d *decode.D) { +// // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/089d362b-31eb-4a1a-b6fa-92fe61bb5dbf +// d.FieldU8("key_code", CharMapper) +//} -func parseFastpathInputEventMouse(d *decode.D) { - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/16a96ded-b3d3-4468-b993-9c7a51297510 - d.FieldU16("pointer_flags", scalar.UintHex) - d.FieldU16("x") - d.FieldU16("y") -} -func parseFastpathInputEventMousex(d *decode.D) { - // https: //docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/2ef7632f-2f2a-4de7-ab58-2585cedcdf48 - d.FieldU16("pointer_flags", scalar.UintHex) - d.FieldU16("x") - d.FieldU16("y") -} -func parseFastpathInputEventSync(d *decode.D) { - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6c5d0ef9-4653-4d69-9ba9-09ba3acd660f - d.FieldU16("padding") - d.FieldU32("toggle_flags") -} -func parseFastpathInputEventUnicode(d *decode.D) { - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e7b13e98-d800-42bb-9a1d-6948537d2317 - d.FieldU16("unicode_code", scalar.UintHex) -} -func parseFastpathInputEventQoeTimestamp(d *decode.D) {} +//func parseFastpathInputEventMouse(d *decode.D) { +// // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/16a96ded-b3d3-4468-b993-9c7a51297510 +// d.FieldU16("pointer_flags", scalar.UintHex) +// d.FieldU16("x") +// d.FieldU16("y") +//} +//func parseFastpathInputEventMousex(d *decode.D) { +// // https: //docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/2ef7632f-2f2a-4de7-ab58-2585cedcdf48 +// d.FieldU16("pointer_flags", scalar.UintHex) +// d.FieldU16("x") +// d.FieldU16("y") +//} +//func parseFastpathInputEventSync(d *decode.D) { +// // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6c5d0ef9-4653-4d69-9ba9-09ba3acd660f +// d.FieldU16("padding") +// d.FieldU32("toggle_flags") +//} +//func parseFastpathInputEventUnicode(d *decode.D) { +// // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e7b13e98-d800-42bb-9a1d-6948537d2317 +// d.FieldU16("unicode_code", scalar.UintHex) +//} +//func parseFastpathInputEventQoeTimestamp(d *decode.D) {} diff --git a/format/pyrdp/pdu/util.go b/format/pyrdp/pdu/util.go index 3e554304..3fce295f 100644 --- a/format/pyrdp/pdu/util.go +++ b/format/pyrdp/pdu/util.go @@ -9,7 +9,7 @@ import ( "github.com/wader/fq/pkg/scalar" ) -var charMapper = scalar.UintFn(func(s scalar.Uint) (scalar.Uint, error) { +var CharMapper = scalar.UintFn(func(s scalar.Uint) (scalar.Uint, error) { char := s.Actual s.Sym = fmt.Sprintf("%c", int(char)) return s, nil diff --git a/format/pyrdp/pyrdp.go b/format/pyrdp/pyrdp.go index 4299a880..8fc8e773 100644 --- a/format/pyrdp/pyrdp.go +++ b/format/pyrdp/pyrdp.go @@ -113,14 +113,18 @@ func decodePYRDP(d *decode.D) any { d.FieldU64("timestamp", timestampMapper) pdu_size := int64(size - 18) - if _, ok := pduParsersMap[pdu_type]; !ok { // catch undeclared parsers + pduParser, ok := pduParsersMap[pdu_type] + if !ok { // catch undeclared parsers if pdu_size > 0 { - d.FieldRawLen("data", int64(pdu_size*8)) + d.FieldRawLen("data", pdu_size*8) } return } - pduParsersMap[uint16(pdu_type)].(func(d *decode.D, length int64))( - d, pdu_size) + parseFn, ok := pduParser.(func(d *decode.D, length int64)) + if !ok { + return + } + parseFn(d, pdu_size) curr := d.Pos() - pos if READ_EXTRA { @@ -134,9 +138,7 @@ func decodePYRDP(d *decode.D) any { return nil } -func noParse(d *decode.D, length int64) { - return -} +func noParse(d *decode.D, length int64) {} var timestampMapper = scalar.UintFn(func(s scalar.Uint) (scalar.Uint, error) { s.Sym = time.UnixMilli(int64(s.Actual)).UTC().String()