mirror of
https://github.com/wader/fq.git
synced 2024-10-26 20:06:29 +03:00
Compare commits
9 Commits
920ba09d94
...
75737d9685
Author | SHA1 | Date | |
---|---|---|---|
|
75737d9685 | ||
|
d5d35907c7 | ||
|
fbbd045f1e | ||
|
64c5646e21 | ||
|
4f8a3120a8 | ||
|
0c69df6258 | ||
|
7d3e4d678f | ||
|
c1eb22ef9c | ||
|
98c4bdc529 |
@ -138,6 +138,7 @@ prores_frame,
|
||||
[protobuf](doc/formats.md#protobuf),
|
||||
protobuf_widevine,
|
||||
pssh_playready,
|
||||
pyrdp,
|
||||
[rtmp](doc/formats.md#rtmp),
|
||||
sll2_packet,
|
||||
sll_packet,
|
||||
|
@ -153,6 +153,7 @@ prores_frame Apple ProRes frame
|
||||
protobuf Protobuf
|
||||
protobuf_widevine Widevine protobuf
|
||||
pssh_playready PlayReady PSSH
|
||||
pyrdp PyRDP Replay Files
|
||||
rtmp Real-Time Messaging Protocol
|
||||
sll2_packet Linux cooked capture encapsulation v2
|
||||
sll_packet Linux cooked capture encapsulation
|
||||
|
@ -50,6 +50,7 @@ import (
|
||||
_ "github.com/wader/fq/format/postgres"
|
||||
_ "github.com/wader/fq/format/prores"
|
||||
_ "github.com/wader/fq/format/protobuf"
|
||||
_ "github.com/wader/fq/format/pyrdp"
|
||||
_ "github.com/wader/fq/format/riff"
|
||||
_ "github.com/wader/fq/format/rtmp"
|
||||
_ "github.com/wader/fq/format/tar"
|
||||
|
@ -162,6 +162,7 @@ var (
|
||||
Protobuf = &decode.Group{Name: "protobuf"}
|
||||
ProtobufWidevine = &decode.Group{Name: "protobuf_widevine"}
|
||||
PSSH_Playready = &decode.Group{Name: "pssh_playready"}
|
||||
PYRDP = &decode.Group{Name: "pyrdp"}
|
||||
RTMP = &decode.Group{Name: "rtmp"}
|
||||
SLL_Packet = &decode.Group{Name: "sll_packet"}
|
||||
SLL2_Packet = &decode.Group{Name: "sll2_packet"}
|
||||
|
109
format/pyrdp/pdu/client_data.go
Normal file
109
format/pyrdp/pdu/client_data.go
Normal file
@ -0,0 +1,109 @@
|
||||
// Copyright (c) 2022-2023 GoSecure Inc.
|
||||
// Copyright (c) 2024 Flare Systems
|
||||
// Licensed under the MIT License
|
||||
package pdu
|
||||
|
||||
import (
|
||||
"github.com/wader/fq/pkg/decode"
|
||||
"github.com/wader/fq/pkg/scalar"
|
||||
)
|
||||
|
||||
const (
|
||||
RDP4 = 0x80001
|
||||
RDP5 = 0x80004
|
||||
RDP10 = 0x80005
|
||||
RDP10_1 = 0x80006
|
||||
RDP10_2 = 0x80007
|
||||
RDP10_3 = 0x80008
|
||||
RDP10_4 = 0x80009
|
||||
RDP10_5 = 0x8000A
|
||||
RDP10_6 = 0x8000B
|
||||
RDP10_7 = 0x8000C
|
||||
RDP10_8 = 0x8000d
|
||||
RDP10_9 = 0x8000e
|
||||
RDP10_10 = 0x8000f
|
||||
)
|
||||
|
||||
var RDPVersionMap = scalar.UintMapSymStr{
|
||||
RDP4: "rdp4",
|
||||
RDP5: "rdp5",
|
||||
RDP10: "rdp10",
|
||||
RDP10_1: "rdp10_1",
|
||||
RDP10_2: "rdp10_2",
|
||||
RDP10_3: "rdp10_3",
|
||||
RDP10_4: "rdp10_4",
|
||||
RDP10_5: "rdp10_5",
|
||||
RDP10_6: "rdp10_6",
|
||||
RDP10_7: "rdp10_7",
|
||||
RDP10_8: "rdp10_8",
|
||||
RDP10_9: "rdp10_9",
|
||||
RDP10_10: "rdp10_10",
|
||||
}
|
||||
|
||||
const (
|
||||
CLIENT_CORE = 0xC001
|
||||
CLIENT_SECURITY = 0xC002
|
||||
CLIENT_NETWORK = 0xC003
|
||||
CLIENT_CLUSTER = 0xC004
|
||||
)
|
||||
|
||||
var clientDataMap = scalar.UintMapSymStr{
|
||||
CLIENT_CORE: "client_core",
|
||||
CLIENT_SECURITY: "client_security",
|
||||
CLIENT_NETWORK: "client_network",
|
||||
CLIENT_CLUSTER: "client_cluster",
|
||||
}
|
||||
|
||||
func ParseClientData(d *decode.D, length int64) {
|
||||
d.FieldStruct("client_data", func(d *decode.D) {
|
||||
header := d.FieldU16("header", clientDataMap)
|
||||
data_len := int64(d.FieldU16("length") - 4)
|
||||
|
||||
switch header {
|
||||
case CLIENT_CORE:
|
||||
ParseClientDataCore(d, data_len)
|
||||
case CLIENT_SECURITY:
|
||||
ParseClientDataSecurity(d, data_len)
|
||||
case CLIENT_NETWORK:
|
||||
ParseClientDataNetwork(d, data_len)
|
||||
case CLIENT_CLUSTER:
|
||||
ParseClientDataCluster(d, data_len)
|
||||
default:
|
||||
// Assert() once all functions are implemented and tested.
|
||||
d.FieldRawLen("data", data_len*8)
|
||||
return
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
func ParseClientDataCore(d *decode.D, length int64) {
|
||||
d.FieldU32("version", RDPVersionMap)
|
||||
d.FieldU16("desktop_width")
|
||||
d.FieldU16("desktop_height")
|
||||
d.FieldU16("color_depth")
|
||||
d.FieldU16("sas_sequence")
|
||||
d.FieldU32("keyboard_layout")
|
||||
d.FieldU32("client_build")
|
||||
d.FieldUTF16LE("client_name", 32, scalar.StrActualTrim("\x00"))
|
||||
d.FieldU32("keyboard_type")
|
||||
d.FieldU32("keyboard_sub_type")
|
||||
d.FieldU32("keyboard_function_key")
|
||||
d.FieldRawLen("ime_file_name", 64*8)
|
||||
d.FieldRawLen("code_data", 98*8)
|
||||
}
|
||||
|
||||
func ParseClientDataSecurity(d *decode.D, length int64) {
|
||||
d.FieldU32("encryption_methods")
|
||||
d.FieldU32("ext_encryption_methods")
|
||||
}
|
||||
|
||||
func ParseClientDataNetwork(d *decode.D, length int64) {
|
||||
d.FieldU32("channel_count")
|
||||
length -= 4
|
||||
d.FieldRawLen("channel_def_array", length*8)
|
||||
}
|
||||
|
||||
func ParseClientDataCluster(d *decode.D, length int64) {
|
||||
d.FieldU32("flags")
|
||||
d.FieldU32("redirected_session_id")
|
||||
}
|
118
format/pyrdp/pdu/client_info.go
Normal file
118
format/pyrdp/pdu/client_info.go
Normal file
@ -0,0 +1,118 @@
|
||||
// Copyright (c) 2022-2023 GoSecure Inc.
|
||||
// Copyright (c) 2024 Flare Systems
|
||||
// Licensed under the MIT License
|
||||
package pdu
|
||||
|
||||
import (
|
||||
"github.com/wader/fq/pkg/decode"
|
||||
"github.com/wader/fq/pkg/scalar"
|
||||
)
|
||||
|
||||
func ParseClientInfo(d *decode.D, length int64) {
|
||||
d.FieldStruct("client_info", func(d *decode.D) {
|
||||
pos := d.Pos()
|
||||
var (
|
||||
is_unicode bool
|
||||
has_null bool
|
||||
null_n uint64 = 0
|
||||
unicode_n uint64 = 0
|
||||
)
|
||||
code_page := d.FieldU32("code_page")
|
||||
flags := d.U32()
|
||||
d.SeekRel(-4 * 8)
|
||||
d.FieldStruct("flags", decodeFlagsFn)
|
||||
|
||||
is_unicode = ((flags & INFO_UNICODE) != 0)
|
||||
has_null = (code_page == 1252 || is_unicode)
|
||||
|
||||
if has_null {
|
||||
null_n = 1
|
||||
}
|
||||
if is_unicode {
|
||||
unicode_n = 2
|
||||
}
|
||||
|
||||
domain_length := int(d.FieldU16("domain_length") + null_n*unicode_n)
|
||||
username_length := int(d.FieldU16("username_length") + null_n*unicode_n)
|
||||
password_length := int(d.FieldU16("password_length") + null_n*unicode_n)
|
||||
alternate_shell_length := int(d.FieldU16("alternate_shell_length") + null_n*unicode_n)
|
||||
working_dir_length := int(d.FieldU16("working_dir_length") + null_n*unicode_n)
|
||||
|
||||
d.FieldUTF16LE("domain", domain_length, scalar.StrActualTrim("\x00"))
|
||||
d.FieldUTF16LE("username", username_length, scalar.StrActualTrim("\x00"))
|
||||
d.FieldUTF16LE("password", password_length, scalar.StrActualTrim("\x00"))
|
||||
d.FieldUTF16LE("alternate_shell", alternate_shell_length, scalar.StrActualTrim("\x00"))
|
||||
d.FieldUTF16LE("working_dir", working_dir_length, scalar.StrActualTrim("\x00"))
|
||||
|
||||
extra_length := length - ((d.Pos() - pos) / 8)
|
||||
if extra_length > 0 {
|
||||
d.FieldStruct("extra_info", func(d *decode.D) {
|
||||
d.FieldU16("address_family", scalar.UintHex)
|
||||
address_length := int(d.FieldU16("address_length"))
|
||||
d.FieldUTF16LE("address", address_length, scalar.StrActualTrim("\x00"))
|
||||
client_dir_length := int(d.FieldU16("client_dir_length"))
|
||||
d.FieldUTF16LE("client_dir", client_dir_length, scalar.StrActualTrim("\x00"))
|
||||
// TS_TIME_ZONE_INFORMATION structure
|
||||
// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/526ed635-d7a9-4d3c-bbe1-4e3fb17585f4
|
||||
d.FieldU32("timezone_bias")
|
||||
d.FieldUTF16LE("timezone_standardname", 64, scalar.StrActualTrim("\x00"))
|
||||
})
|
||||
|
||||
// XXX: there's more extra info but here's everything we need from the
|
||||
// client (other than UTC info)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
const (
|
||||
// flags
|
||||
INFO_MOUSE = 0x00000001
|
||||
INFO_DISABLECTRLALTDEL = 0x00000002
|
||||
INFO_AUTOLOGON = 0x00000008
|
||||
INFO_UNICODE = 0x00000010
|
||||
INFO_MAXIMIZESHELL = 0x00000020
|
||||
INFO_LOGONNOTIFY = 0x00000040
|
||||
INFO_COMPRESSION = 0x00000080
|
||||
INFO_ENABLEWINDOWSKEY = 0x00000100
|
||||
INFO_REMOTECONSOLEAUDIO = 0x00002000
|
||||
INFO_FORCE_ENCRYPTED_CS_PDU = 0x00004000
|
||||
INFO_RAIL = 0x00008000
|
||||
INFO_LOGONERRORS = 0x00010000
|
||||
INFO_MOUSE_HAS_WHEEL = 0x00020000
|
||||
INFO_PASSWORD_IS_SC_PIN = 0x00040000
|
||||
INFO_NOAUDIOPLAYBACK = 0x00080000
|
||||
INFO_USING_SAVED_CREDS = 0x00100000
|
||||
INFO_AUDIOCAPTURE = 0x00200000
|
||||
INFO_VIDEO_DISABLE = 0x00400000
|
||||
INFO_RESERVED1 = 0x00800000
|
||||
INFO_RESERVED2 = 0x01000000
|
||||
INFO_HIDEF_RAIL_SUPPORTED = 0x02000000
|
||||
)
|
||||
|
||||
func decodeFlagsFn(d *decode.D) {
|
||||
d.FieldBool("mouse")
|
||||
d.FieldBool("disabledctrlaltdel")
|
||||
d.SeekRel(1)
|
||||
d.FieldBool("autologon")
|
||||
d.FieldBool("unicode")
|
||||
d.FieldBool("maximizeshell")
|
||||
d.FieldBool("logonnotify")
|
||||
d.FieldBool("compression")
|
||||
d.FieldBool("enablewindowskey")
|
||||
d.SeekRel(4)
|
||||
d.FieldBool("remoteconsoleaudio")
|
||||
d.FieldBool("force_encrypted_cs_pdu")
|
||||
d.FieldBool("rail")
|
||||
d.FieldBool("logonerrors")
|
||||
d.FieldBool("mouse_has_wheel")
|
||||
d.FieldBool("password_is_sc_pin")
|
||||
d.FieldBool("noaudioplayback")
|
||||
d.FieldBool("using_saved_creds")
|
||||
d.FieldBool("audiocapture")
|
||||
d.FieldBool("video_disable")
|
||||
d.FieldBool("reserved1")
|
||||
d.FieldBool("reserved2")
|
||||
d.FieldBool("hidef_rail_supported")
|
||||
|
||||
d.SeekRel(d.Pos() % 31)
|
||||
}
|
78
format/pyrdp/pdu/clipboard_data.go
Normal file
78
format/pyrdp/pdu/clipboard_data.go
Normal file
@ -0,0 +1,78 @@
|
||||
// Copyright (c) 2022-2023 GoSecure Inc.
|
||||
// Copyright (c) 2024 Flare Systems
|
||||
// Licensed under the MIT License
|
||||
package pdu
|
||||
|
||||
import (
|
||||
"github.com/wader/fq/pkg/decode"
|
||||
"github.com/wader/fq/pkg/scalar"
|
||||
)
|
||||
|
||||
const (
|
||||
// Message types.
|
||||
CB_MONITOR_READY = 0x0001
|
||||
CB_FORMAT_LIST = 0x0002
|
||||
CB_FORMAT_LIST_RESPONSE = 0x0003
|
||||
CB_FORMAT_DATA_REQUEST = 0x0004
|
||||
CB_FORMAT_DATA_RESPONSE = 0x0005
|
||||
CB_TEMP_DIRECTORY = 0x0006
|
||||
CB_CLIP_CAPS = 0x0007
|
||||
CB_FILECONTENTS_REQUEST = 0x0008
|
||||
CB_FILECONTENTS_RESPONSE = 0x0009
|
||||
CB_LOCK_CLIPDATA = 0x000A
|
||||
CB_UNLOCK_CLIPDATA = 0x000B
|
||||
|
||||
// Message flags.
|
||||
NONE = 0
|
||||
CB_RESPONSE_OK = 0x0001
|
||||
CB_RESPONSE_FAIL = 0x0002
|
||||
CB_ASCII_NAMES = 0x0004
|
||||
)
|
||||
|
||||
var cbTypesMap = scalar.UintMapSymStr{
|
||||
CB_MONITOR_READY: "cb_monitor_ready",
|
||||
CB_FORMAT_LIST: "cb_format_list",
|
||||
CB_FORMAT_LIST_RESPONSE: "cb_format_list_response",
|
||||
CB_FORMAT_DATA_REQUEST: "cb_format_data_request",
|
||||
CB_FORMAT_DATA_RESPONSE: "cb_format_data_response",
|
||||
CB_TEMP_DIRECTORY: "cb_temp_directory",
|
||||
CB_CLIP_CAPS: "cb_clip_caps",
|
||||
CB_FILECONTENTS_REQUEST: "cb_filecontents_request",
|
||||
CB_FILECONTENTS_RESPONSE: "cb_filecontents_response",
|
||||
CB_LOCK_CLIPDATA: "cb_lock_clipdata",
|
||||
CB_UNLOCK_CLIPDATA: "cb_unlock_clipdata",
|
||||
}
|
||||
|
||||
var cbFlagsMap = scalar.UintMapSymStr{
|
||||
NONE: "none",
|
||||
CB_RESPONSE_OK: "cb_response_ok",
|
||||
CB_RESPONSE_FAIL: "cb_response_fail",
|
||||
CB_ASCII_NAMES: "cb_ascii_names",
|
||||
}
|
||||
|
||||
var cbParseFnMap = map[uint16]interface{}{
|
||||
CB_FORMAT_DATA_RESPONSE: parseCbFormatDataResponse,
|
||||
}
|
||||
|
||||
func ParseClipboardData(d *decode.D, length int64) {
|
||||
d.FieldStruct("clipboard_data", func(d *decode.D) {
|
||||
msg_type := uint16(d.FieldU16("msg_type", cbTypesMap))
|
||||
d.FieldU16("msg_flags", cbFlagsMap)
|
||||
data_length := d.FieldU32("data_len")
|
||||
|
||||
cbParser, ok := cbParseFnMap[msg_type]
|
||||
if ok {
|
||||
parseFn, ok := cbParser.(func(d *decode.D, length uint64))
|
||||
if ok {
|
||||
parseFn(d, data_length)
|
||||
return
|
||||
}
|
||||
}
|
||||
// Assert() once all functions are implemented.
|
||||
d.FieldRawLen("data", int64(data_length*8))
|
||||
})
|
||||
}
|
||||
|
||||
func parseCbFormatDataResponse(d *decode.D, length uint64) {
|
||||
d.FieldRawLen("data", int64(length*8))
|
||||
}
|
129
format/pyrdp/pdu/fastpath_input.go
Normal file
129
format/pyrdp/pdu/fastpath_input.go
Normal file
@ -0,0 +1,129 @@
|
||||
// Copyright (c) 2022-2023 GoSecure Inc.
|
||||
// Copyright (c) 2024 Flare Systems
|
||||
// Licensed under the MIT License
|
||||
package pdu
|
||||
|
||||
import (
|
||||
"github.com/wader/fq/pkg/decode"
|
||||
"github.com/wader/fq/pkg/scalar"
|
||||
)
|
||||
|
||||
const (
|
||||
// Security Flags.
|
||||
FASTPATH_INPUT_SECURE_CHECKSUM = 1
|
||||
FASTPATH_INPUT_ENCRYPTED = 2
|
||||
|
||||
// Event codes.
|
||||
FASTPATH_INPUT_EVENT_SCANCODE = 0
|
||||
FASTPATH_INPUT_EVENT_MOUSE = 1
|
||||
FASTPATH_INPUT_EVENT_MOUSEX = 2
|
||||
FASTPATH_INPUT_EVENT_SYNC = 3
|
||||
FASTPATH_INPUT_EVENT_UNICODE = 4
|
||||
FASTPATH_INPUT_EVENT_QOE_TIMESTAMP = 6
|
||||
)
|
||||
|
||||
// commented because unused but we should use one-day
|
||||
//var eventCodesMap = scalar.UintMapSymStr{
|
||||
// FASTPATH_INPUT_EVENT_SCANCODE: "fastpath_input_event_scancode",
|
||||
// FASTPATH_INPUT_EVENT_MOUSE: "fastpath_input_event_mouse",
|
||||
// FASTPATH_INPUT_EVENT_MOUSEX: "fastpath_input_event_mousex",
|
||||
// FASTPATH_INPUT_EVENT_SYNC: "fastpath_input_event_sync",
|
||||
// FASTPATH_INPUT_EVENT_UNICODE: "fastpath_input_event_unicode",
|
||||
// FASTPATH_INPUT_EVENT_QOE_TIMESTAMP: "fastpath_input_event_qoe_timestamp",
|
||||
//}
|
||||
|
||||
//var eventFnMap = map[int]interface{}{
|
||||
// FASTPATH_INPUT_EVENT_SCANCODE: parseFastpathInputEventScancode,
|
||||
// FASTPATH_INPUT_EVENT_MOUSE: parseFastpathInputEventMouse,
|
||||
// FASTPATH_INPUT_EVENT_MOUSEX: parseFastpathInputEventMousex,
|
||||
// FASTPATH_INPUT_EVENT_SYNC: parseFastpathInputEventSync,
|
||||
// FASTPATH_INPUT_EVENT_UNICODE: parseFastpathInputEventUnicode,
|
||||
// FASTPATH_INPUT_EVENT_QOE_TIMESTAMP: parseFastpathInputEventQoeTimestamp,
|
||||
//}
|
||||
|
||||
//var fastPathInputEventLengthsMap = map[int]int{
|
||||
// FASTPATH_INPUT_EVENT_SCANCODE: 2,
|
||||
// FASTPATH_INPUT_EVENT_MOUSE: 7,
|
||||
// FASTPATH_INPUT_EVENT_MOUSEX: 7,
|
||||
// FASTPATH_INPUT_EVENT_SYNC: 1,
|
||||
// FASTPATH_INPUT_EVENT_UNICODE: 3,
|
||||
// FASTPATH_INPUT_EVENT_QOE_TIMESTAMP: 5,
|
||||
//}
|
||||
|
||||
func ParseFastPathInput(d *decode.D, length int64) {
|
||||
d.FieldStruct("fastpath_input", func(d *decode.D) {
|
||||
// var (
|
||||
// events uint8 = 1
|
||||
// )
|
||||
pos := d.Pos()
|
||||
|
||||
d.FieldStruct("input_header", func(d *decode.D) {
|
||||
d.FieldU2("action", scalar.UintHex)
|
||||
// events = uint8(d.FieldU4("events") & 0xf)
|
||||
d.FieldU4("events", scalar.UintHex)
|
||||
flags := d.FieldU2("flags", scalar.UintHex)
|
||||
if flags&FASTPATH_INPUT_ENCRYPTED != 0 {
|
||||
panic("Encrypted fast-path not implemented.")
|
||||
}
|
||||
})
|
||||
|
||||
input_length := d.FieldU8("input_length1", scalar.UintHex)
|
||||
if input_length&0x80 != 0 {
|
||||
input_length = ((input_length & 0x7f) << 8) | d.FieldU8("input_length2", scalar.UintHex)
|
||||
}
|
||||
|
||||
// d.FieldU64("data_signature", scalar.Hex)
|
||||
// fmt.Fprintf(os.Stderr, "events:%d\n", events)
|
||||
// d.FieldArray("events", func(d *decode.D) {
|
||||
// for ; events > 0; events-- {
|
||||
// var event_type int
|
||||
//
|
||||
// d.FieldStruct("event_header", func(d *decode.D) {
|
||||
// event_type = int(d.FieldU3("type", eventCodesMap))
|
||||
// d.FieldU5("flags")
|
||||
// })
|
||||
//
|
||||
// if _, ok := eventFnMap[event_type]; !ok {
|
||||
// // panic("fastpath_input: Unknow event code.\n")
|
||||
// fmt.Fprint(os.Stderr, "fastpath_input: Unknow event code.\n")
|
||||
// } else {
|
||||
// eventFnMap[event_type].(func(d *decode.D))(d)
|
||||
// }
|
||||
// }
|
||||
// })
|
||||
|
||||
input_length -= uint64(d.Pos()-pos) / 8
|
||||
if input_length > 0 {
|
||||
d.FieldRawLen("data", int64(input_length*8))
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
//commented because unused but we should use one-day
|
||||
//func parseFastpathInputEventScancode(d *decode.D) {
|
||||
// // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/089d362b-31eb-4a1a-b6fa-92fe61bb5dbf
|
||||
// d.FieldU8("key_code", CharMapper)
|
||||
//}
|
||||
|
||||
//func parseFastpathInputEventMouse(d *decode.D) {
|
||||
// // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/16a96ded-b3d3-4468-b993-9c7a51297510
|
||||
// d.FieldU16("pointer_flags", scalar.UintHex)
|
||||
// d.FieldU16("x")
|
||||
// d.FieldU16("y")
|
||||
//}
|
||||
//func parseFastpathInputEventMousex(d *decode.D) {
|
||||
// // https: //docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/2ef7632f-2f2a-4de7-ab58-2585cedcdf48
|
||||
// d.FieldU16("pointer_flags", scalar.UintHex)
|
||||
// d.FieldU16("x")
|
||||
// d.FieldU16("y")
|
||||
//}
|
||||
//func parseFastpathInputEventSync(d *decode.D) {
|
||||
// // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6c5d0ef9-4653-4d69-9ba9-09ba3acd660f
|
||||
// d.FieldU16("padding")
|
||||
// d.FieldU32("toggle_flags")
|
||||
//}
|
||||
//func parseFastpathInputEventUnicode(d *decode.D) {
|
||||
// // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e7b13e98-d800-42bb-9a1d-6948537d2317
|
||||
// d.FieldU16("unicode_code", scalar.UintHex)
|
||||
//}
|
||||
//func parseFastpathInputEventQoeTimestamp(d *decode.D) {}
|
16
format/pyrdp/pdu/util.go
Normal file
16
format/pyrdp/pdu/util.go
Normal file
@ -0,0 +1,16 @@
|
||||
// Copyright (c) 2022-2023 GoSecure Inc.
|
||||
// Copyright (c) 2024 Flare Systems
|
||||
// Licensed under the MIT License
|
||||
package pdu
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/wader/fq/pkg/scalar"
|
||||
)
|
||||
|
||||
var CharMapper = scalar.UintFn(func(s scalar.Uint) (scalar.Uint, error) {
|
||||
char := s.Actual
|
||||
s.Sym = fmt.Sprintf("%c", int(char))
|
||||
return s, nil
|
||||
})
|
146
format/pyrdp/pyrdp.go
Normal file
146
format/pyrdp/pyrdp.go
Normal file
@ -0,0 +1,146 @@
|
||||
// Processes PyRDP replay files
|
||||
// https://github.com/GoSecure/pyrdp
|
||||
//
|
||||
// Copyright (c) 2022-2023 GoSecure Inc.
|
||||
// Copyright (c) 2024 Flare Systems
|
||||
// Licensed under the MIT License
|
||||
//
|
||||
// Maintainer: Olivier Bilodeau <olivier.bilodeau@flare.io>
|
||||
// Author: Lisandro Ubiedo
|
||||
package pyrdp
|
||||
|
||||
import (
|
||||
"time"
|
||||
|
||||
"github.com/wader/fq/format"
|
||||
pyrdp_pdu "github.com/wader/fq/format/pyrdp/pdu"
|
||||
"github.com/wader/fq/pkg/decode"
|
||||
"github.com/wader/fq/pkg/interp"
|
||||
"github.com/wader/fq/pkg/scalar"
|
||||
)
|
||||
|
||||
const (
|
||||
READ_EXTRA = true
|
||||
|
||||
// PDU Types.
|
||||
PDU_FAST_PATH_INPUT = 1 // Ex: scan codes, mouse, etc.
|
||||
PDU_FAST_PATH_OUTPUT = 2 // Ex: image
|
||||
PDU_CLIENT_INFO = 3 // Creds on connection
|
||||
PDU_SLOW_PATH_PDU = 4 // For slow-path PDUs
|
||||
PDU_CONNECTION_CLOSE = 5 // To advertise the end of the connection
|
||||
PDU_CLIPBOARD_DATA = 6 // To collect clipboard data
|
||||
PDU_CLIENT_DATA = 7 // Contains the clientName
|
||||
PDU_MOUSE_MOVE = 8 // Mouse move event from the player
|
||||
PDU_MOUSE_BUTTON = 9 // Mouse button event from the player
|
||||
PDU_MOUSE_WHEEL = 10 // Mouse wheel event from the player
|
||||
PDU_KEYBOARD = 11 // Keyboard event from the player
|
||||
PDU_TEXT = 12 // Text event from the player
|
||||
PDU_FORWARDING_STATE = 13 // Event from the player to change the state of I/O forwarding
|
||||
PDU_BITMAP = 14 // Bitmap event from the player
|
||||
PDU_DEVICE_MAPPING = 15 // Device mapping event notification
|
||||
PDU_DIRECTORY_LISTING_REQUEST = 16 // Directory listing request from the player
|
||||
PDU_DIRECTORY_LISTING_RESPONSE = 17 // Directory listing response to the player
|
||||
PDU_FILE_DOWNLOAD_REQUEST = 18 // File download request from the player
|
||||
PDU_FILE_DOWNLOAD_RESPONSE = 19 // File download response to the player
|
||||
PDU_FILE_DOWNLOAD_COMPLETE = 20 // File download completion notification to the player
|
||||
)
|
||||
|
||||
var pduTypesMap = scalar.UintMapSymStr{
|
||||
PDU_FAST_PATH_INPUT: "pdu_fastpath_input",
|
||||
PDU_FAST_PATH_OUTPUT: "pdu_fastpath_output",
|
||||
PDU_CLIENT_INFO: "pdu_client_info",
|
||||
PDU_SLOW_PATH_PDU: "pdu_slow_path_pdu",
|
||||
PDU_CONNECTION_CLOSE: "pdu_connection_close",
|
||||
PDU_CLIPBOARD_DATA: "pdu_clipboard_data",
|
||||
PDU_CLIENT_DATA: "pdu_client_data",
|
||||
PDU_MOUSE_MOVE: "pdu_mouse_move",
|
||||
PDU_MOUSE_BUTTON: "pdu_mouse_button",
|
||||
PDU_MOUSE_WHEEL: "pdu_mouse_wheel",
|
||||
PDU_KEYBOARD: "pdu_keyboard",
|
||||
PDU_TEXT: "pdu_text",
|
||||
PDU_FORWARDING_STATE: "pdu_forwarding_state",
|
||||
PDU_BITMAP: "pdu_bitmap",
|
||||
PDU_DEVICE_MAPPING: "pdu_device_mapping",
|
||||
PDU_DIRECTORY_LISTING_REQUEST: "pdu_directory_listing_request",
|
||||
PDU_DIRECTORY_LISTING_RESPONSE: "pdu_directory_listing_response",
|
||||
PDU_FILE_DOWNLOAD_REQUEST: "pdu_file_download_request",
|
||||
PDU_FILE_DOWNLOAD_RESPONSE: "pdu_file_download_response",
|
||||
PDU_FILE_DOWNLOAD_COMPLETE: "pdu_file_download_complete",
|
||||
}
|
||||
|
||||
var pduParsersMap = map[uint16]interface{}{
|
||||
PDU_FAST_PATH_INPUT: pyrdp_pdu.ParseFastPathInput,
|
||||
// PDU_FAST_PATH_OUTPUT: pyrdp_pdu.ParseFastPathOut,
|
||||
PDU_CLIENT_INFO: pyrdp_pdu.ParseClientInfo,
|
||||
// PDU_SLOW_PATH_PDU: pyrdp_pdu.ParseSlowPathPDU,
|
||||
PDU_CONNECTION_CLOSE: noParse,
|
||||
PDU_CLIPBOARD_DATA: pyrdp_pdu.ParseClipboardData,
|
||||
PDU_CLIENT_DATA: pyrdp_pdu.ParseClientData,
|
||||
// PDU_MOUSE_MOVE: pyrdp_pdu.ParseMouseMove,
|
||||
// PDU_MOUSE_BUTTON: pyrdp_pdu.ParseMouseButton,
|
||||
// PDU_MOUSE_WHEEL: pyrdp_pdu.ParseMouseWheel,
|
||||
// PDU_KEYBOARD: pyrdp_pdu.ParseKeyboard,
|
||||
// PDU_TEXT: pyrdp_pdu.ParseText,
|
||||
// PDU_FORWARDING_STATE: pyrdp_pdu.ParseForwardingState,
|
||||
// PDU_BITMAP: pyrdp_pdu.ParseBitmap,
|
||||
// PDU_DEVICE_MAPPING: pyrdp_pdu.ParseDeviceMapping,
|
||||
// PDU_DIRECTORY_LISTING_REQUEST: pyrdp_pdu.ParseDirectoryListingRequest,
|
||||
// PDU_DIRECTORY_LISTING_RESPONSE: pyrdp_pdu.ParseDirectoryListingResponse,
|
||||
// PDU_FILE_DOWNLOAD_REQUEST: pyrdp_pdu.ParseFileDownloadRequest,
|
||||
// PDU_FILE_DOWNLOAD_RESPONSE: pyrdp_pdu.ParseFileDownloadResponse,
|
||||
// PDU_FILE_DOWNLOAD_COMPLETE: pyrdp_pdu.ParseFileDownloadComplete,
|
||||
}
|
||||
|
||||
func init() {
|
||||
interp.RegisterFormat(
|
||||
format.PYRDP,
|
||||
&decode.Format{
|
||||
Description: "PyRDP Replay Files",
|
||||
DecodeFn: decodePYRDP,
|
||||
})
|
||||
}
|
||||
|
||||
func decodePYRDP(d *decode.D) any {
|
||||
d.Endian = decode.LittleEndian
|
||||
|
||||
d.FieldArray("events", func(d *decode.D) {
|
||||
for !d.End() {
|
||||
d.FieldStruct("event", func(d *decode.D) {
|
||||
pos := d.Pos()
|
||||
|
||||
size := d.FieldU64("size") // minus the length
|
||||
pdu_type := uint16(d.FieldU16("pdu_type", pduTypesMap))
|
||||
d.FieldU64("timestamp", timestampMapper)
|
||||
pdu_size := int64(size - 18)
|
||||
|
||||
pduParser, ok := pduParsersMap[pdu_type]
|
||||
if !ok { // catch undeclared parsers
|
||||
if pdu_size > 0 {
|
||||
d.FieldRawLen("data", pdu_size*8)
|
||||
}
|
||||
return
|
||||
}
|
||||
parseFn, ok := pduParser.(func(d *decode.D, length int64))
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
parseFn(d, pdu_size)
|
||||
|
||||
curr := d.Pos() - pos
|
||||
if READ_EXTRA {
|
||||
d.FieldRawLen("extra", (int64(size)*8)-curr) // seek whatever is left
|
||||
} else {
|
||||
d.SeekRel((int64(size) * 8) - curr) // read whatever is left
|
||||
}
|
||||
})
|
||||
}
|
||||
})
|
||||
return nil
|
||||
}
|
||||
|
||||
func noParse(d *decode.D, length int64) {}
|
||||
|
||||
var timestampMapper = scalar.UintFn(func(s scalar.Uint) (scalar.Uint, error) {
|
||||
s.Sym = time.UnixMilli(int64(s.Actual)).UTC().String()
|
||||
return s, nil
|
||||
})
|
3568
format/pyrdp/testdata/test.fqtest
vendored
Normal file
3568
format/pyrdp/testdata/test.fqtest
vendored
Normal file
File diff suppressed because it is too large
Load Diff
BIN
format/pyrdp/testdata/test.pyrdp
vendored
Normal file
BIN
format/pyrdp/testdata/test.pyrdp
vendored
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user