blob: 3ebac2b1f296daff0596216f920d95ee15371928 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
/*
krb5 PAC
*/
#include "idl_types.h"
[
uuid(46746756-7567-7567-5677-756756756756),
version(0.0),
pointer_default(unique)
]
interface krb5pac
{
typedef struct {
NTTIME logon_time;
uint16 unknown;
astring account_name;
} UNKNOWN_TYPE_10;
typedef [flag(NDR_PAHEX)] struct {
uint32 type;
uint8 signature[20];
} PAC_SIGNATURE_DATA;
typedef struct {
uint32 rid;
uint32 attrs;
} GROUP_MEMBERSHIP;
typedef struct {
dom_sid2 *sid;
uint32 attrs;
} EXTRA_SIDS;
typedef struct {
[value(strlen_m(r->string)*2)] uint16 size;
[value(r->size)] uint16 length;
unistr_noterm *string;
} pac_String;
/* This is awfully similar to a samr_user_info_23, but not identical.
Many of the field names have been swiped from there, because it is
so similar that they are likely the same, but many have been verified.
Some are in a different order, though... */
typedef struct {
uint32 unknown[5];
NTTIME logon_time; /* logon time */
NTTIME logoff_time; /* logoff time */
NTTIME kickoff_time; /* kickoff time */
NTTIME pass_last_set_time; /* password last set time */
NTTIME pass_can_change_time; /* password can change time */
NTTIME pass_must_change_time; /* password must change time */
pac_String account_name;
pac_String full_name;
pac_String logon_script;
pac_String profile_path;
pac_String home_directory;
pac_String home_drive;
uint16 logon_count; /* number of times user has logged onto domain */
uint16 reserved12;
uint32 user_rid;
uint32 group_rid;
uint32 groups_count;
[size_is(groups_count)] GROUP_MEMBERSHIP *groups;
uint32 user_flags;
uint32 reserved13[4];
pac_String dom_controller;
pac_String dom_name;
dom_sid2 *dom_sid;
uint32 reserved16[2];
uint32 reserved17; /* looks like it may be acb_info */
uint32 reserved18[7];
uint32 extra_sids_count;
[size_is(extra_sids_count)] EXTRA_SIDS *extra_sids;
dom_sid2 *res_group_dom_sid;
uint32 res_groups_count;
[size_is(res_groups_count)] GROUP_MEMBERSHIP *res_groups;
} PAC_LOGON_INFO;
const uint8 PAC_TYPE_LOGON_INFO = 1;
const uint8 PAC_TYPE_SRV_CHECKSUM = 6;
const uint8 PAC_TYPE_KDC_CHECKSUM = 7;
const uint8 PAC_TYPE_UNKNOWN_10 = 10;
typedef [nodiscriminant] union {
[case(PAC_TYPE_LOGON_INFO)] PAC_LOGON_INFO logon_info;
[case(PAC_TYPE_SRV_CHECKSUM)] PAC_SIGNATURE_DATA srv_cksum;
[case(PAC_TYPE_KDC_CHECKSUM)] PAC_SIGNATURE_DATA kdc_cksum;
[case(PAC_TYPE_UNKNOWN_10)] UNKNOWN_TYPE_10 type_10;
} PAC_INFO;
typedef struct {
uint32 type;
uint32 size;
[relative,switch_is(type)] PAC_INFO *info;
uint32 _pad;
} PAC_BUFFER;
typedef [public] struct {
uint32 num_buffers;
uint32 version;
PAC_BUFFER buffers[num_buffers];
} PAC_DATA;
void decode_pac(
[in] PAC_DATA pac
);
void decode_login_info(
[in] PAC_LOGON_INFO logon_info
);
}
|