mirror of
https://github.com/wader/fq.git
synced 2024-10-27 04:09:37 +03:00
Compare commits
8 Commits
3f2aa75ec8
...
d5d35907c7
Author | SHA1 | Date | |
---|---|---|---|
|
d5d35907c7 | ||
|
fbbd045f1e | ||
|
64c5646e21 | ||
|
4f8a3120a8 | ||
|
0c69df6258 | ||
|
7d3e4d678f | ||
|
c1eb22ef9c | ||
|
98c4bdc529 |
6
.github/workflows/ci.yml
vendored
6
.github/workflows/ci.yml
vendored
@ -7,7 +7,7 @@ on:
|
||||
pull_request:
|
||||
|
||||
env:
|
||||
GOLANGCILINT_VERSION: "1.59.1"
|
||||
GOLANGCILINT_VERSION: "1.59.0"
|
||||
|
||||
jobs:
|
||||
lint:
|
||||
@ -15,7 +15,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: "1.22.4"
|
||||
go-version: "1.22.3"
|
||||
- uses: actions/checkout@v3
|
||||
- uses: golangci/golangci-lint-action@v3
|
||||
with:
|
||||
@ -47,7 +47,7 @@ jobs:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: "1.22.4"
|
||||
go-version: "1.22.3"
|
||||
- name: Test
|
||||
env:
|
||||
GOARCH: ${{ matrix.goarch }}
|
||||
|
2
.github/workflows/release.yml
vendored
2
.github/workflows/release.yml
vendored
@ -15,7 +15,7 @@ jobs:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: "1.22.4"
|
||||
go-version: "1.22.3"
|
||||
- uses: goreleaser/goreleaser-action@v5
|
||||
with:
|
||||
distribution: goreleaser
|
||||
|
@ -1,5 +1,5 @@
|
||||
# bump: docker-golang /FROM golang:([\d.]+)/ docker:golang|^1
|
||||
FROM golang:1.22.4-bookworm AS base
|
||||
FROM golang:1.22.3-bookworm AS base
|
||||
|
||||
# expect is used to test cli
|
||||
RUN \
|
||||
|
2
Makefile
2
Makefile
@ -61,7 +61,7 @@ gogenerate: always
|
||||
lint: always
|
||||
# bump: make-golangci-lint /golangci-lint@v([\d.]+)/ git:https://github.com/golangci/golangci-lint.git|^1
|
||||
# bump: make-golangci-lint link "Release notes" https://github.com/golangci/golangci-lint/releases/tag/v$LATEST
|
||||
go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.59.1 run
|
||||
go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.59.0 run
|
||||
|
||||
depgraph.svg: always
|
||||
go run github.com/kisielk/godepgraph@latest github.com/wader/fq | dot -Tsvg -o godepgraph.svg
|
||||
|
@ -138,7 +138,7 @@ prores_frame,
|
||||
[protobuf](doc/formats.md#protobuf),
|
||||
protobuf_widevine,
|
||||
pssh_playready,
|
||||
[pyrdp](doc/formats.md#pyrdp),
|
||||
pyrdp,
|
||||
[rtmp](doc/formats.md#rtmp),
|
||||
sll2_packet,
|
||||
sll_packet,
|
||||
|
@ -110,7 +110,6 @@
|
||||
|[`protobuf`](#protobuf) |Protobuf |<sub></sub>|
|
||||
|`protobuf_widevine` |Widevine protobuf |<sub>`protobuf`</sub>|
|
||||
|`pssh_playready` |PlayReady PSSH |<sub></sub>|
|
||||
|[`pyrdp`](#pyrdp) |PyRDP Replay Files |<sub></sub>|
|
||||
|[`rtmp`](#rtmp) |Real-Time Messaging Protocol |<sub>`amf0` `mpeg_asc`</sub>|
|
||||
|`sll2_packet` |Linux cooked capture encapsulation v2 |<sub>`inet_packet`</sub>|
|
||||
|`sll_packet` |Linux cooked capture encapsulation |<sub>`inet_packet`</sub>|
|
||||
@ -1196,16 +1195,6 @@ $ fq -d protobuf '.fields[6].wire_value | protobuf | d' file
|
||||
### References
|
||||
- https://developers.google.com/protocol-buffers/docs/encoding
|
||||
|
||||
## pyrdp
|
||||
PyRDP Replay Files.
|
||||
|
||||
### Authors
|
||||
- Olivier Bilodeau <olivier.bilodeau@flare.io>, Maintainer
|
||||
- Lisandro Ubiedo, Author
|
||||
|
||||
### References
|
||||
- https://github.com/GoSecure/pyrdp
|
||||
|
||||
## rtmp
|
||||
Real-Time Messaging Protocol.
|
||||
|
||||
|
@ -57,11 +57,7 @@ def _markdown_children_to_text($width):
|
||||
| join("")
|
||||
) as $text
|
||||
| if $text == .destination then $text
|
||||
else
|
||||
if .destination | startswith("mailto:") then
|
||||
"<\(.destination[7:])>"
|
||||
else "\($text) (\(.destination))"
|
||||
end
|
||||
else "\($text) (\(.destination))"
|
||||
end
|
||||
)
|
||||
elif .type == "code_block" then .literal | rtrimstr("\n") | split("\n") | " " + join("\n ")
|
||||
|
@ -16,61 +16,61 @@ const (
|
||||
RDP10_2 = 0x80007
|
||||
RDP10_3 = 0x80008
|
||||
RDP10_4 = 0x80009
|
||||
RDP10_5 = 0x8000a
|
||||
RDP10_6 = 0x8000b
|
||||
RDP10_7 = 0x8000c
|
||||
RDP10_5 = 0x8000A
|
||||
RDP10_6 = 0x8000B
|
||||
RDP10_7 = 0x8000C
|
||||
RDP10_8 = 0x8000d
|
||||
RDP10_9 = 0x8000e
|
||||
RDP10_10 = 0x8000f
|
||||
)
|
||||
|
||||
var RDPVersionMap = scalar.UintMapSymStr{
|
||||
RDP4: "4",
|
||||
RDP5: "5",
|
||||
RDP10: "10",
|
||||
RDP10_1: "10_1",
|
||||
RDP10_2: "10_2",
|
||||
RDP10_3: "10_3",
|
||||
RDP10_4: "10_4",
|
||||
RDP10_5: "10_5",
|
||||
RDP10_6: "10_6",
|
||||
RDP10_7: "10_7",
|
||||
RDP10_8: "10_8",
|
||||
RDP10_9: "10_9",
|
||||
RDP10_10: "10_10",
|
||||
RDP4: "rdp4",
|
||||
RDP5: "rdp5",
|
||||
RDP10: "rdp10",
|
||||
RDP10_1: "rdp10_1",
|
||||
RDP10_2: "rdp10_2",
|
||||
RDP10_3: "rdp10_3",
|
||||
RDP10_4: "rdp10_4",
|
||||
RDP10_5: "rdp10_5",
|
||||
RDP10_6: "rdp10_6",
|
||||
RDP10_7: "rdp10_7",
|
||||
RDP10_8: "rdp10_8",
|
||||
RDP10_9: "rdp10_9",
|
||||
RDP10_10: "rdp10_10",
|
||||
}
|
||||
|
||||
const (
|
||||
CLIENT_CORE = 0xc001
|
||||
CLIENT_SECURITY = 0xc002
|
||||
CLIENT_NETWORK = 0xc003
|
||||
CLIENT_CLUSTER = 0xc004
|
||||
CLIENT_CORE = 0xC001
|
||||
CLIENT_SECURITY = 0xC002
|
||||
CLIENT_NETWORK = 0xC003
|
||||
CLIENT_CLUSTER = 0xC004
|
||||
)
|
||||
|
||||
var clientDataMap = scalar.UintMapSymStr{
|
||||
CLIENT_CORE: "core",
|
||||
CLIENT_SECURITY: "security",
|
||||
CLIENT_NETWORK: "network",
|
||||
CLIENT_CLUSTER: "cluster",
|
||||
CLIENT_CORE: "client_core",
|
||||
CLIENT_SECURITY: "client_security",
|
||||
CLIENT_NETWORK: "client_network",
|
||||
CLIENT_CLUSTER: "client_cluster",
|
||||
}
|
||||
|
||||
func ParseClientData(d *decode.D, length int64) {
|
||||
d.FieldStruct("client_data", func(d *decode.D) {
|
||||
header := d.FieldU16("header", clientDataMap)
|
||||
dataLen := int64(d.FieldU16("length") - 4)
|
||||
data_len := int64(d.FieldU16("length") - 4)
|
||||
|
||||
switch header {
|
||||
case CLIENT_CORE:
|
||||
ParseClientDataCore(d, dataLen)
|
||||
ParseClientDataCore(d, data_len)
|
||||
case CLIENT_SECURITY:
|
||||
ParseClientDataSecurity(d, dataLen)
|
||||
ParseClientDataSecurity(d, data_len)
|
||||
case CLIENT_NETWORK:
|
||||
ParseClientDataNetwork(d, dataLen)
|
||||
ParseClientDataNetwork(d, data_len)
|
||||
case CLIENT_CLUSTER:
|
||||
ParseClientDataCluster(d, dataLen)
|
||||
ParseClientDataCluster(d, data_len)
|
||||
default:
|
||||
// Assert() once all functions are implemented and tested.
|
||||
d.FieldRawLen("data", dataLen*8)
|
||||
d.FieldRawLen("data", data_len*8)
|
||||
return
|
||||
}
|
||||
})
|
||||
|
@ -12,46 +12,46 @@ func ParseClientInfo(d *decode.D, length int64) {
|
||||
d.FieldStruct("client_info", func(d *decode.D) {
|
||||
pos := d.Pos()
|
||||
var (
|
||||
isUnicode bool
|
||||
hasNull bool
|
||||
nullN uint64 = 0
|
||||
unicodeN uint64 = 0
|
||||
is_unicode bool
|
||||
has_null bool
|
||||
null_n uint64 = 0
|
||||
unicode_n uint64 = 0
|
||||
)
|
||||
codePage := d.FieldU32("code_page")
|
||||
code_page := d.FieldU32("code_page")
|
||||
flags := d.U32()
|
||||
d.SeekRel(-4 * 8)
|
||||
d.FieldStruct("flags", decodeFlagsFn)
|
||||
|
||||
isUnicode = ((flags & INFO_UNICODE) != 0)
|
||||
hasNull = (codePage == 1252 || isUnicode)
|
||||
is_unicode = ((flags & INFO_UNICODE) != 0)
|
||||
has_null = (code_page == 1252 || is_unicode)
|
||||
|
||||
if hasNull {
|
||||
nullN = 1
|
||||
if has_null {
|
||||
null_n = 1
|
||||
}
|
||||
if isUnicode {
|
||||
unicodeN = 2
|
||||
if is_unicode {
|
||||
unicode_n = 2
|
||||
}
|
||||
|
||||
domainLength := int(d.FieldU16("domain_length") + nullN*unicodeN)
|
||||
usernameLength := int(d.FieldU16("username_length") + nullN*unicodeN)
|
||||
passwordLength := int(d.FieldU16("password_length") + nullN*unicodeN)
|
||||
alternateShellLength := int(d.FieldU16("alternate_shell_length") + nullN*unicodeN)
|
||||
workingDirLength := int(d.FieldU16("working_dir_length") + nullN*unicodeN)
|
||||
domain_length := int(d.FieldU16("domain_length") + null_n*unicode_n)
|
||||
username_length := int(d.FieldU16("username_length") + null_n*unicode_n)
|
||||
password_length := int(d.FieldU16("password_length") + null_n*unicode_n)
|
||||
alternate_shell_length := int(d.FieldU16("alternate_shell_length") + null_n*unicode_n)
|
||||
working_dir_length := int(d.FieldU16("working_dir_length") + null_n*unicode_n)
|
||||
|
||||
d.FieldUTF16LE("domain", domainLength, scalar.StrActualTrim("\x00"))
|
||||
d.FieldUTF16LE("username", usernameLength, scalar.StrActualTrim("\x00"))
|
||||
d.FieldUTF16LE("password", passwordLength, scalar.StrActualTrim("\x00"))
|
||||
d.FieldUTF16LE("alternate_shell", alternateShellLength, scalar.StrActualTrim("\x00"))
|
||||
d.FieldUTF16LE("working_dir", workingDirLength, scalar.StrActualTrim("\x00"))
|
||||
d.FieldUTF16LE("domain", domain_length, scalar.StrActualTrim("\x00"))
|
||||
d.FieldUTF16LE("username", username_length, scalar.StrActualTrim("\x00"))
|
||||
d.FieldUTF16LE("password", password_length, scalar.StrActualTrim("\x00"))
|
||||
d.FieldUTF16LE("alternate_shell", alternate_shell_length, scalar.StrActualTrim("\x00"))
|
||||
d.FieldUTF16LE("working_dir", working_dir_length, scalar.StrActualTrim("\x00"))
|
||||
|
||||
extraLength := length - ((d.Pos() - pos) / 8)
|
||||
if extraLength > 0 {
|
||||
extra_length := length - ((d.Pos() - pos) / 8)
|
||||
if extra_length > 0 {
|
||||
d.FieldStruct("extra_info", func(d *decode.D) {
|
||||
d.FieldU16("address_family", scalar.UintHex)
|
||||
addressLength := int(d.FieldU16("address_length"))
|
||||
d.FieldUTF16LE("address", addressLength, scalar.StrActualTrim("\x00"))
|
||||
clientDirLength := int(d.FieldU16("client_dir_length"))
|
||||
d.FieldUTF16LE("client_dir", clientDirLength, scalar.StrActualTrim("\x00"))
|
||||
address_length := int(d.FieldU16("address_length"))
|
||||
d.FieldUTF16LE("address", address_length, scalar.StrActualTrim("\x00"))
|
||||
client_dir_length := int(d.FieldU16("client_dir_length"))
|
||||
d.FieldUTF16LE("client_dir", client_dir_length, scalar.StrActualTrim("\x00"))
|
||||
// TS_TIME_ZONE_INFORMATION structure
|
||||
// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/526ed635-d7a9-4d3c-bbe1-4e3fb17585f4
|
||||
d.FieldU32("timezone_bias")
|
||||
@ -92,14 +92,14 @@ const (
|
||||
func decodeFlagsFn(d *decode.D) {
|
||||
d.FieldBool("mouse")
|
||||
d.FieldBool("disabledctrlaltdel")
|
||||
d.FieldRawLen("unused0", 1)
|
||||
d.SeekRel(1)
|
||||
d.FieldBool("autologon")
|
||||
d.FieldBool("unicode")
|
||||
d.FieldBool("maximizeshell")
|
||||
d.FieldBool("logonnotify")
|
||||
d.FieldBool("compression")
|
||||
d.FieldBool("enablewindowskey")
|
||||
d.FieldRawLen("unused1", 4)
|
||||
d.SeekRel(4)
|
||||
d.FieldBool("remoteconsoleaudio")
|
||||
d.FieldBool("force_encrypted_cs_pdu")
|
||||
d.FieldBool("rail")
|
||||
@ -113,5 +113,6 @@ func decodeFlagsFn(d *decode.D) {
|
||||
d.FieldBool("reserved1")
|
||||
d.FieldBool("reserved2")
|
||||
d.FieldBool("hidef_rail_supported")
|
||||
d.FieldRawLen("unused2", 6)
|
||||
|
||||
d.SeekRel(d.Pos() % 31)
|
||||
}
|
||||
|
@ -30,24 +30,24 @@ const (
|
||||
)
|
||||
|
||||
var cbTypesMap = scalar.UintMapSymStr{
|
||||
CB_MONITOR_READY: "monitor_ready",
|
||||
CB_FORMAT_LIST: "format_list",
|
||||
CB_FORMAT_LIST_RESPONSE: "format_list_response",
|
||||
CB_FORMAT_DATA_REQUEST: "format_data_request",
|
||||
CB_FORMAT_DATA_RESPONSE: "format_data_response",
|
||||
CB_TEMP_DIRECTORY: "temp_directory",
|
||||
CB_CLIP_CAPS: "clip_caps",
|
||||
CB_FILECONTENTS_REQUEST: "filecontents_request",
|
||||
CB_FILECONTENTS_RESPONSE: "filecontents_response",
|
||||
CB_LOCK_CLIPDATA: "lock_clipdata",
|
||||
CB_UNLOCK_CLIPDATA: "unlock_clipdata",
|
||||
CB_MONITOR_READY: "cb_monitor_ready",
|
||||
CB_FORMAT_LIST: "cb_format_list",
|
||||
CB_FORMAT_LIST_RESPONSE: "cb_format_list_response",
|
||||
CB_FORMAT_DATA_REQUEST: "cb_format_data_request",
|
||||
CB_FORMAT_DATA_RESPONSE: "cb_format_data_response",
|
||||
CB_TEMP_DIRECTORY: "cb_temp_directory",
|
||||
CB_CLIP_CAPS: "cb_clip_caps",
|
||||
CB_FILECONTENTS_REQUEST: "cb_filecontents_request",
|
||||
CB_FILECONTENTS_RESPONSE: "cb_filecontents_response",
|
||||
CB_LOCK_CLIPDATA: "cb_lock_clipdata",
|
||||
CB_UNLOCK_CLIPDATA: "cb_unlock_clipdata",
|
||||
}
|
||||
|
||||
var cbFlagsMap = scalar.UintMapSymStr{
|
||||
NONE: "none",
|
||||
CB_RESPONSE_OK: "response_ok",
|
||||
CB_RESPONSE_FAIL: "response_fail",
|
||||
CB_ASCII_NAMES: "ascii_names",
|
||||
CB_RESPONSE_OK: "cb_response_ok",
|
||||
CB_RESPONSE_FAIL: "cb_response_fail",
|
||||
CB_ASCII_NAMES: "cb_ascii_names",
|
||||
}
|
||||
|
||||
var cbParseFnMap = map[uint16]interface{}{
|
||||
@ -56,20 +56,20 @@ var cbParseFnMap = map[uint16]interface{}{
|
||||
|
||||
func ParseClipboardData(d *decode.D, length int64) {
|
||||
d.FieldStruct("clipboard_data", func(d *decode.D) {
|
||||
msgType := uint16(d.FieldU16("msg_type", cbTypesMap))
|
||||
msg_type := uint16(d.FieldU16("msg_type", cbTypesMap))
|
||||
d.FieldU16("msg_flags", cbFlagsMap)
|
||||
dataLength := d.FieldU32("data_len")
|
||||
data_length := d.FieldU32("data_len")
|
||||
|
||||
cbParser, ok := cbParseFnMap[msgType]
|
||||
cbParser, ok := cbParseFnMap[msg_type]
|
||||
if ok {
|
||||
parseFn, ok := cbParser.(func(d *decode.D, length uint64))
|
||||
if ok {
|
||||
parseFn(d, dataLength)
|
||||
parseFn(d, data_length)
|
||||
return
|
||||
}
|
||||
}
|
||||
// Assert() once all functions are implemented.
|
||||
d.FieldRawLen("data", int64(dataLength*8))
|
||||
d.FieldRawLen("data", int64(data_length*8))
|
||||
})
|
||||
}
|
||||
|
||||
|
@ -67,9 +67,9 @@ func ParseFastPathInput(d *decode.D, length int64) {
|
||||
}
|
||||
})
|
||||
|
||||
inputLength := d.FieldU8("input_length1", scalar.UintHex)
|
||||
if inputLength&0x80 != 0 {
|
||||
inputLength = ((inputLength & 0x7f) << 8) | d.FieldU8("input_length2", scalar.UintHex)
|
||||
input_length := d.FieldU8("input_length1", scalar.UintHex)
|
||||
if input_length&0x80 != 0 {
|
||||
input_length = ((input_length & 0x7f) << 8) | d.FieldU8("input_length2", scalar.UintHex)
|
||||
}
|
||||
|
||||
// d.FieldU64("data_signature", scalar.Hex)
|
||||
@ -92,9 +92,9 @@ func ParseFastPathInput(d *decode.D, length int64) {
|
||||
// }
|
||||
// })
|
||||
|
||||
inputLength -= uint64(d.Pos()-pos) / 8
|
||||
if inputLength > 0 {
|
||||
d.FieldRawLen("data", int64(inputLength*8))
|
||||
input_length -= uint64(d.Pos()-pos) / 8
|
||||
if input_length > 0 {
|
||||
d.FieldRawLen("data", int64(input_length*8))
|
||||
}
|
||||
})
|
||||
}
|
||||
|
@ -10,7 +10,6 @@
|
||||
package pyrdp
|
||||
|
||||
import (
|
||||
"embed"
|
||||
"time"
|
||||
|
||||
"github.com/wader/fq/format"
|
||||
@ -20,19 +19,6 @@ import (
|
||||
"github.com/wader/fq/pkg/scalar"
|
||||
)
|
||||
|
||||
//go:embed pyrdp.md
|
||||
var pyrdpFS embed.FS
|
||||
|
||||
func init() {
|
||||
interp.RegisterFormat(
|
||||
format.PYRDP,
|
||||
&decode.Format{
|
||||
Description: "PyRDP Replay Files",
|
||||
DecodeFn: decodePYRDP,
|
||||
})
|
||||
interp.RegisterFS(pyrdpFS)
|
||||
}
|
||||
|
||||
const (
|
||||
READ_EXTRA = true
|
||||
|
||||
@ -60,26 +46,26 @@ const (
|
||||
)
|
||||
|
||||
var pduTypesMap = scalar.UintMapSymStr{
|
||||
PDU_FAST_PATH_INPUT: "fastpath_input",
|
||||
PDU_FAST_PATH_OUTPUT: "fastpath_output",
|
||||
PDU_CLIENT_INFO: "client_info",
|
||||
PDU_SLOW_PATH_PDU: "slow_path_pdu",
|
||||
PDU_CONNECTION_CLOSE: "connection_close",
|
||||
PDU_CLIPBOARD_DATA: "clipboard_data",
|
||||
PDU_CLIENT_DATA: "client_data",
|
||||
PDU_MOUSE_MOVE: "mouse_move",
|
||||
PDU_MOUSE_BUTTON: "mouse_button",
|
||||
PDU_MOUSE_WHEEL: "mouse_wheel",
|
||||
PDU_KEYBOARD: "keyboard",
|
||||
PDU_TEXT: "text",
|
||||
PDU_FORWARDING_STATE: "forwarding_state",
|
||||
PDU_BITMAP: "bitmap",
|
||||
PDU_DEVICE_MAPPING: "device_mapping",
|
||||
PDU_DIRECTORY_LISTING_REQUEST: "directory_listing_request",
|
||||
PDU_DIRECTORY_LISTING_RESPONSE: "directory_listing_response",
|
||||
PDU_FILE_DOWNLOAD_REQUEST: "file_download_request",
|
||||
PDU_FILE_DOWNLOAD_RESPONSE: "file_download_response",
|
||||
PDU_FILE_DOWNLOAD_COMPLETE: "file_download_complete",
|
||||
PDU_FAST_PATH_INPUT: "pdu_fastpath_input",
|
||||
PDU_FAST_PATH_OUTPUT: "pdu_fastpath_output",
|
||||
PDU_CLIENT_INFO: "pdu_client_info",
|
||||
PDU_SLOW_PATH_PDU: "pdu_slow_path_pdu",
|
||||
PDU_CONNECTION_CLOSE: "pdu_connection_close",
|
||||
PDU_CLIPBOARD_DATA: "pdu_clipboard_data",
|
||||
PDU_CLIENT_DATA: "pdu_client_data",
|
||||
PDU_MOUSE_MOVE: "pdu_mouse_move",
|
||||
PDU_MOUSE_BUTTON: "pdu_mouse_button",
|
||||
PDU_MOUSE_WHEEL: "pdu_mouse_wheel",
|
||||
PDU_KEYBOARD: "pdu_keyboard",
|
||||
PDU_TEXT: "pdu_text",
|
||||
PDU_FORWARDING_STATE: "pdu_forwarding_state",
|
||||
PDU_BITMAP: "pdu_bitmap",
|
||||
PDU_DEVICE_MAPPING: "pdu_device_mapping",
|
||||
PDU_DIRECTORY_LISTING_REQUEST: "pdu_directory_listing_request",
|
||||
PDU_DIRECTORY_LISTING_RESPONSE: "pdu_directory_listing_response",
|
||||
PDU_FILE_DOWNLOAD_REQUEST: "pdu_file_download_request",
|
||||
PDU_FILE_DOWNLOAD_RESPONSE: "pdu_file_download_response",
|
||||
PDU_FILE_DOWNLOAD_COMPLETE: "pdu_file_download_complete",
|
||||
}
|
||||
|
||||
var pduParsersMap = map[uint16]interface{}{
|
||||
@ -105,6 +91,15 @@ var pduParsersMap = map[uint16]interface{}{
|
||||
// PDU_FILE_DOWNLOAD_COMPLETE: pyrdp_pdu.ParseFileDownloadComplete,
|
||||
}
|
||||
|
||||
func init() {
|
||||
interp.RegisterFormat(
|
||||
format.PYRDP,
|
||||
&decode.Format{
|
||||
Description: "PyRDP Replay Files",
|
||||
DecodeFn: decodePYRDP,
|
||||
})
|
||||
}
|
||||
|
||||
func decodePYRDP(d *decode.D) any {
|
||||
d.Endian = decode.LittleEndian
|
||||
|
||||
@ -114,14 +109,14 @@ func decodePYRDP(d *decode.D) any {
|
||||
pos := d.Pos()
|
||||
|
||||
size := d.FieldU64("size") // minus the length
|
||||
pduType := uint16(d.FieldU16("pdu_type", pduTypesMap))
|
||||
d.FieldU64("timestamp", scalar.UintActualUnixTimeDescription(time.Millisecond, time.RFC3339Nano))
|
||||
pduSize := int64(size - 18)
|
||||
pdu_type := uint16(d.FieldU16("pdu_type", pduTypesMap))
|
||||
d.FieldU64("timestamp", timestampMapper)
|
||||
pdu_size := int64(size - 18)
|
||||
|
||||
pduParser, ok := pduParsersMap[pduType]
|
||||
pduParser, ok := pduParsersMap[pdu_type]
|
||||
if !ok { // catch undeclared parsers
|
||||
if pduSize > 0 {
|
||||
d.FieldRawLen("data", pduSize*8)
|
||||
if pdu_size > 0 {
|
||||
d.FieldRawLen("data", pdu_size*8)
|
||||
}
|
||||
return
|
||||
}
|
||||
@ -129,7 +124,7 @@ func decodePYRDP(d *decode.D) any {
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
parseFn(d, pduSize)
|
||||
parseFn(d, pdu_size)
|
||||
|
||||
curr := d.Pos() - pos
|
||||
if READ_EXTRA {
|
||||
@ -144,3 +139,8 @@ func decodePYRDP(d *decode.D) any {
|
||||
}
|
||||
|
||||
func noParse(d *decode.D, length int64) {}
|
||||
|
||||
var timestampMapper = scalar.UintFn(func(s scalar.Uint) (scalar.Uint, error) {
|
||||
s.Sym = time.UnixMilli(int64(s.Actual)).UTC().String()
|
||||
return s, nil
|
||||
})
|
||||
|
@ -1,6 +0,0 @@
|
||||
### Authors
|
||||
- Olivier Bilodeau <olivier.bilodeau@flare.io>, Maintainer
|
||||
- Lisandro Ubiedo, Author
|
||||
|
||||
### References
|
||||
- https://github.com/GoSecure/pyrdp
|
1519
format/pyrdp/testdata/test.fqtest
vendored
1519
format/pyrdp/testdata/test.fqtest
vendored
File diff suppressed because it is too large
Load Diff
8
go.mod
8
go.mod
@ -48,7 +48,7 @@ require (
|
||||
// bump: gomod-golang-x-crypto /golang\.org\/x\/crypto v(.*)/ https://github.com/golang/crypto.git|^0
|
||||
// bump: gomod-golang-x-crypto command go get -d golang.org/x/crypto@v$LATEST && go mod tidy
|
||||
// bump: gomod-golang-x-crypto link "Tags" https://github.com/golang/crypto/tags
|
||||
golang.org/x/crypto v0.24.0
|
||||
golang.org/x/crypto v0.23.0
|
||||
|
||||
// has no tags
|
||||
// go get -d golang.org/x/exp@master && go mod tidy
|
||||
@ -57,12 +57,12 @@ require (
|
||||
// bump: gomod-golang-x-net /golang\.org\/x\/net v(.*)/ https://github.com/golang/net.git|^0
|
||||
// bump: gomod-golang-x-net command go get -d golang.org/x/net@v$LATEST && go mod tidy
|
||||
// bump: gomod-golang-x-net link "Tags" https://github.com/golang/net/tags
|
||||
golang.org/x/net v0.26.0
|
||||
golang.org/x/net v0.25.0
|
||||
|
||||
// bump: gomod-golang-x-term /golang\.org\/x\/term v(.*)/ https://github.com/golang/term.git|^0
|
||||
// bump: gomod-golang-x-term command go get -d golang.org/x/term@v$LATEST && go mod tidy
|
||||
// bump: gomod-golang-x-term link "Tags" https://github.com/golang/term/tags
|
||||
golang.org/x/term v0.21.0
|
||||
golang.org/x/term v0.20.0
|
||||
|
||||
// bump: gomod-golang/text /golang\.org\/x\/text v(.*)/ https://github.com/golang/text.git|^0
|
||||
// bump: gomod-golang/text command go get -d golang.org/x/text@v$LATEST && go mod tidy
|
||||
@ -79,6 +79,6 @@ require (
|
||||
github.com/itchyny/timefmt-go v0.1.5 // indirect
|
||||
github.com/mitchellh/reflectwalk v1.0.2 // indirect
|
||||
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
|
||||
golang.org/x/sys v0.21.0 // indirect
|
||||
golang.org/x/sys v0.20.0 // indirect
|
||||
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
|
||||
)
|
||||
|
16
go.sum
16
go.sum
@ -25,16 +25,16 @@ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWb
|
||||
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
|
||||
github.com/wader/gojq v0.12.1-0.20240401131232-6c6bc364201a h1:P881Oecjt9FEXrwkGJ6UObJksxejJaF/fKq1ZfXpiVE=
|
||||
github.com/wader/gojq v0.12.1-0.20240401131232-6c6bc364201a/go.mod h1:qVrzkUdnBtJvM4twyRQ6xdziPSnSp35dLm4s/DN2iP4=
|
||||
golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
|
||||
golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
|
||||
golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
|
||||
golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
|
||||
golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8 h1:aAcj0Da7eBAtrTp03QXWvm88pSyOt+UgdZw2BFZ+lEw=
|
||||
golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8/go.mod h1:CQ1k9gNrJ50XIzaKCRR2hssIjF07kZFEiieALBM/ARQ=
|
||||
golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
|
||||
golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
|
||||
golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
|
||||
golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
|
||||
golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
|
||||
golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
|
||||
golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
|
||||
golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
|
||||
golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
|
||||
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
|
||||
golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
|
||||
golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
|
||||
golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
|
||||
golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
|
Loading…
Reference in New Issue
Block a user