Bug Summary

File:epan/dissectors/packet-procmon.c
Warning:line 834, column 13
Value stored to 'offset' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-procmon.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-truncation -Wno-format-nonliteral -Wno-pointer-sign -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2025-10-21-100328-3623-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-procmon.c
1/* packet-procmon.c
2 * Routines for MS Procmon dissection
3 *
4 * Used a lot of information from https://github.com/eronnen/procmon-parser
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <[email protected]>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13#include <config.h>
14
15#include <epan/packet.h>
16#include <epan/expert.h>
17#include <epan/tfs.h>
18#include <wiretap/wtap.h>
19#include "packet-ipv6.h"
20
21#define PNAME"MS Procmon Event" "MS Procmon Event"
22#define PSNAME"MS Procmon" "MS Procmon"
23#define PFNAME"procmon" "procmon"
24
25void proto_reg_handoff_procmon(void);
26void proto_register_procmon(void);
27
28/* Initialize the protocol and registered fields */
29static int proto_procmon;
30
31static int hf_procmon_process_index;
32static int hf_procmon_thread_id;
33static int hf_procmon_event_class;
34static int hf_procmon_operation_type;
35static int hf_procmon_duration;
36static int hf_procmon_timestamp;
37static int hf_procmon_event_result;
38static int hf_procmon_stack_trace_depth;
39static int hf_procmon_details_size;
40static int hf_procmon_extra_details_offset;
41static int hf_procmon_stack_trace_address;
42static int hf_procmon_detail_data;
43static int hf_procmon_extra_detail_data;
44static int hf_procmon_process_operation;
45static int hf_procmon_process_pid;
46static int hf_procmon_process_path;
47static int hf_procmon_process_path_size;
48static int hf_procmon_process_path_is_ascii;
49static int hf_procmon_process_path_char_count;
50static int hf_procmon_process_commandline;
51static int hf_procmon_process_commandline_size;
52static int hf_procmon_process_commandline_is_ascii;
53static int hf_procmon_process_commandline_char_count;
54static int hf_procmon_process_thread_id;
55static int hf_procmon_process_exit_status;
56static int hf_procmon_process_kernel_time;
57static int hf_procmon_process_user_time;
58static int hf_procmon_process_working_set;
59static int hf_procmon_process_peak_working_set;
60static int hf_procmon_process_private_bytes;
61static int hf_procmon_process_peak_private_bytes;
62static int hf_procmon_process_image_base;
63static int hf_procmon_process_image_size;
64static int hf_procmon_process_parent_pid;
65static int hf_procmon_process_curdir;
66static int hf_procmon_process_curdir_size;
67static int hf_procmon_process_curdir_is_ascii;
68static int hf_procmon_process_curdir_char_count;
69static int hf_procmon_process_environment;
70static int hf_procmon_process_environment_char_count;
71static int hf_procmon_registry_operation;
72static int hf_procmon_registry_desired_access;
73static int hf_procmon_registry_granted_access;
74static int hf_procmon_registry_disposition;
75static int hf_procmon_registry_key;
76static int hf_procmon_registry_key_size;
77static int hf_procmon_registry_key_is_ascii;
78static int hf_procmon_registry_key_char_count;
79static int hf_procmon_registry_new_key;
80static int hf_procmon_registry_new_key_size;
81static int hf_procmon_registry_new_key_is_ascii;
82static int hf_procmon_registry_new_key_char_count;
83static int hf_procmon_registry_value;
84static int hf_procmon_registry_value_size;
85static int hf_procmon_registry_value_is_ascii;
86static int hf_procmon_registry_value_char_count;
87static int hf_procmon_registry_length;
88static int hf_procmon_registry_key_information_class;
89static int hf_procmon_registry_value_information_class;
90static int hf_procmon_registry_key_set_information_class;
91static int hf_procmon_registry_index;
92static int hf_procmon_registry_type;
93static int hf_procmon_registry_data_length;
94static int hf_procmon_registry_key_name_size;
95static int hf_procmon_registry_key_name;
96static int hf_procmon_registry_key_handle_tags;
97static int hf_procmon_registry_key_flags;
98static int hf_procmon_registry_key_last_write_time;
99static int hf_procmon_registry_key_title_index;
100static int hf_procmon_registry_key_subkeys;
101static int hf_procmon_registry_key_max_name_len;
102static int hf_procmon_registry_key_values;
103static int hf_procmon_registry_key_max_value_name_len;
104static int hf_procmon_registry_key_max_value_data_len;
105static int hf_procmon_registry_key_class_offset;
106static int hf_procmon_registry_key_class_length;
107static int hf_procmon_registry_key_max_class_len;
108static int hf_procmon_registry_value_reg_type;
109static int hf_procmon_registry_value_offset_to_data;
110static int hf_procmon_registry_value_length;
111static int hf_procmon_registry_value_name_size;
112static int hf_procmon_registry_value_name;
113static int hf_procmon_registry_value_dword;
114static int hf_procmon_registry_value_qword;
115static int hf_procmon_registry_value_sz;
116static int hf_procmon_registry_value_binary;
117static int hf_procmon_registry_value_multi_sz;
118static int hf_procmon_registry_key_set_information_write_time;
119static int hf_procmon_registry_key_set_information_wow64_flags;
120static int hf_procmon_registry_key_set_information_handle_tags;
121static int hf_procmon_filesystem_operation;
122static int hf_procmon_filesystem_suboperation;
123static int hf_procmon_filesystem_padding;
124static int hf_procmon_filesystem_details;
125static int hf_procmon_filesystem_path;
126static int hf_procmon_filesystem_path_size;
127static int hf_procmon_filesystem_path_is_ascii;
128static int hf_procmon_filesystem_path_char_count;
129static int hf_procmon_filesystem_create_file_access_mask;
130static int hf_procmon_filesystem_create_file_impersonating_sid_length;
131static int hf_procmon_filesystem_create_file_impersonating;
132static int hf_procmon_filesystem_create_file_disposition;
133static int hf_procmon_filesystem_create_file_options;
134static int hf_procmon_filesystem_create_file_attributes;
135static int hf_procmon_filesystem_create_file_share_mode;
136static int hf_procmon_filesystem_create_file_allocation;
137static int hf_procmon_filesystem_create_file_sid_revision;
138static int hf_procmon_filesystem_create_file_sid_count;
139static int hf_procmon_filesystem_create_file_sid_authority;
140static int hf_procmon_filesystem_create_file_sid_value;
141static int hf_procmon_filesystem_create_file_open_result;
142static int hf_procmon_filesystem_readwrite_file_io_flags;
143static int hf_procmon_filesystem_readwrite_file_priority;
144static int hf_procmon_filesystem_readwrite_file_length;
145static int hf_procmon_filesystem_readwrite_file_offset;
146static int hf_procmon_filesystem_readwrite_file_result_length;
147static int hf_procmon_filesystem_ioctl_write_length;
148static int hf_procmon_filesystem_ioctl_read_length;
149static int hf_procmon_filesystem_ioctl_ioctl;
150static int hf_procmon_filesystem_ioctl_offset;
151static int hf_procmon_filesystem_ioctl_length;
152static int hf_procmon_filesystem_create_file_mapping_sync_type;
153static int hf_procmon_filesystem_create_file_mapping_page_protection;
154static int hf_procmon_filesystem_directory;
155static int hf_procmon_filesystem_directory_size;
156static int hf_procmon_filesystem_directory_is_ascii;
157static int hf_procmon_filesystem_directory_char_count;
158static int hf_procmon_filesystem_directory_control_file_information_class;
159static int hf_procmon_filesystem_directory_control_notify_change_flags;
160static int hf_procmon_filesystem_set_info_file_disposition_delete;
161static int hf_procmon_filesystem_directory_control_query_next_entry_offset;
162static int hf_procmon_filesystem_directory_control_query_file_index;
163static int hf_procmon_filesystem_directory_control_query_name_length;
164static int hf_procmon_filesystem_directory_control_query_name;
165static int hf_procmon_filesystem_directory_control_query_creation_time;
166static int hf_procmon_filesystem_directory_control_query_last_access_time;
167static int hf_procmon_filesystem_directory_control_query_last_write_time;
168static int hf_procmon_filesystem_directory_control_query_change_time;
169static int hf_procmon_filesystem_directory_control_query_end_of_file;
170static int hf_procmon_filesystem_directory_control_query_allocation_size;
171static int hf_procmon_filesystem_directory_control_query_file_attributes;
172static int hf_procmon_filesystem_directory_control_query_file_ea_size;
173static int hf_procmon_filesystem_directory_control_query_file_id;
174static int hf_procmon_filesystem_directory_control_query_short_name_length;
175static int hf_procmon_filesystem_directory_control_query_short_name;
176static int hf_procmon_profiling_operation;
177static int hf_procmon_network_operation;
178static int hf_procmon_network_flags;
179static int hf_procmon_network_flags_is_src_ipv4;
180static int hf_procmon_network_flags_is_dst_ipv4;
181static int hf_procmon_network_flags_tcp_udp;
182static int hf_procmon_network_length;
183static int hf_procmon_network_src_ipv4;
184static int hf_procmon_network_src_ipv6;
185static int hf_procmon_network_dest_ipv4;
186static int hf_procmon_network_dest_ipv6;
187static int hf_procmon_network_src_port;
188static int hf_procmon_network_dest_port;
189static int hf_procmon_network_padding;
190static int hf_procmon_network_details;
191
192
193/* Initialize the subtree pointers */
194static int ett_procmon;
195static int ett_procmon_header;
196static int ett_procmon_stack_trace;
197static int ett_procmon_process_event;
198static int ett_procmon_process_path;
199static int ett_procmon_process_commandline;
200static int ett_procmon_process_curdir;
201static int ett_procmon_registry_event;
202static int ett_procmon_registry_key;
203static int ett_procmon_registry_value;
204static int ett_procmon_registry_new_key;
205static int ett_procmon_filesystem_event;
206static int ett_procmon_filesystem_path;
207static int ett_procmon_filesystem_create_file_impersonating;
208static int ett_procmon_filesystem_directory;
209static int ett_procmon_filesystem_information;
210static int ett_procmon_profiling_event;
211static int ett_procmon_network_event;
212static int ett_procmon_network_flags;
213
214
215static expert_field ei_procmon_unknown_event_class;
216static expert_field ei_procmon_unknown_operation;
217
218static dissector_handle_t procmon_handle;
219
220#define PROCMON_EVENT_CLASS_TYPE_PROCESS1 1
221#define PROCMON_EVENT_CLASS_TYPE_REGISTRY2 2
222#define PROCMON_EVENT_CLASS_TYPE_FILE_SYSTEM3 3
223#define PROCMON_EVENT_CLASS_TYPE_PROFILING4 4
224#define PROCMON_EVENT_CLASS_TYPE_NETWORK5 5
225
226#define STRING_IS_ASCII_MASK0x8000 0x8000
227#define STRING_CHAR_COUNT_MASK0x7FFF 0x7FFF
228
229static void dissect_procmon_detail_string_info(tvbuff_t* tvb, proto_tree* tree, int offset,
230 int hf_detail, int hf_detail_ascii, int hf_detail_char_count, int ett_detail, bool_Bool* is_ascii, uint16_t* char_count)
231{
232 proto_tree* detail_tree;
233 proto_item* detail_item;
234 uint32_t char_value;
235
236 detail_item = proto_tree_add_item(tree, hf_detail, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
237 detail_tree = proto_item_add_subtree(detail_item, ett_detail);
238
239 proto_tree_add_item_ret_boolean(detail_tree, hf_detail_ascii, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, is_ascii);
240 proto_tree_add_item_ret_uint(detail_tree, hf_detail_char_count, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &char_value);
241 *char_count = (uint16_t)(char_value & STRING_CHAR_COUNT_MASK0x7FFF);
242}
243
244static int dissect_procmon_detail_string(tvbuff_t* tvb, proto_tree* tree, int offset, bool_Bool is_ascii, uint16_t char_count, int hf_detail_string)
245{
246 int char_size = is_ascii ? 1 : 2;
247 int path_size = char_size * char_count;
248 proto_tree_add_item(tree, hf_detail_string, tvb, offset, path_size, is_ascii ? ENC_ASCII0x00000000 : ENC_UTF_160x00000004|ENC_LITTLE_ENDIAN0x80000000);
249 return offset + path_size;
250}
251
252static void dissect_procmon_access_mask(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, int offset, int hf_access_mask, int length, uint32_t* mapping, const value_string* vs_mask_values)
253{
254 int i = 0;
255 bool_Bool first = true1;
256 proto_item* ti;
257 uint32_t access_mask;
258 wmem_strbuf_t* access_details = wmem_strbuf_new(pinfo->pool, "(");
259
260 ti = proto_tree_add_item_ret_uint(tree, hf_access_mask, tvb, offset, length, ENC_LITTLE_ENDIAN0x80000000, &access_mask);
261 if (mapping != NULL((void*)0))
262 {
263 if (access_mask & 0x80000000)
264 access_mask |= mapping[0];
265 if (access_mask & 0x40000000)
266 access_mask |= mapping[1];
267 if (access_mask & 0x20000000)
268 access_mask |= mapping[2];
269 if (access_mask & 0x10000000)
270 access_mask |= mapping[3];
271 }
272
273 while (vs_mask_values[i].strptr) {
274 if ((vs_mask_values[i].value & access_mask) == vs_mask_values[i].value)
275 {
276 if (first)
277 first = false0;
278 else
279 wmem_strbuf_append(access_details, ", ");
280 wmem_strbuf_append(access_details, vs_mask_values[i].strptr);
281 }
282
283 i++;
284 }
285
286 wmem_strbuf_append_c(access_details, ')');
287 proto_item_append_text(ti, " %s", wmem_strbuf_get_str(access_details));
288}
289
290static const value_string event_class_vals[] = {
291 { PROCMON_EVENT_CLASS_TYPE_PROCESS1, "Process" },
292 { PROCMON_EVENT_CLASS_TYPE_REGISTRY2, "Registry" },
293 { PROCMON_EVENT_CLASS_TYPE_FILE_SYSTEM3, "File System" },
294 { PROCMON_EVENT_CLASS_TYPE_PROFILING4, "Profiling" },
295 { PROCMON_EVENT_CLASS_TYPE_NETWORK5, "Network" },
296 { 0, NULL((void*)0) }
297};
298
299#define PROCMON_PROCESS_OPERATION_DEFINED0x0000 0x0000
300#define PROCMON_PROCESS_OPERATION_CREATE0x0001 0x0001
301#define PROCMON_PROCESS_OPERATION_EXIT0x0002 0x0002
302#define PROCMON_PROCESS_OPERATION_THREAD_CREATE0x0003 0x0003
303#define PROCMON_PROCESS_OPERATION_THREAD_EXIT0x0004 0x0004
304#define PROCMON_PROCESS_OPERATION_LOAD_IMAGE0x0005 0x0005
305#define PROCMON_PROCESS_OPERATION_THREAD_PROFILE0x0006 0x0006
306#define PROCMON_PROCESS_OPERATION_PROCESS_START0x0007 0x0007
307#define PROCMON_PROCESS_OPERATION_PROCESS_STATISTICS0x0008 0x0008
308#define PROCMON_PROCESS_OPERATION_SYSTEM_STATISTICS0x0009 0x0009
309
310static const value_string process_operation_vals[] = {
311 { PROCMON_PROCESS_OPERATION_DEFINED0x0000, "Process Defined" },
312 { PROCMON_PROCESS_OPERATION_CREATE0x0001, "Process Create" },
313 { PROCMON_PROCESS_OPERATION_EXIT0x0002, "Process Exit" },
314 { PROCMON_PROCESS_OPERATION_THREAD_CREATE0x0003, "Thread Create" },
315 { PROCMON_PROCESS_OPERATION_THREAD_EXIT0x0004, "Thread Exit" },
316 { PROCMON_PROCESS_OPERATION_LOAD_IMAGE0x0005, "Load Image" },
317 { PROCMON_PROCESS_OPERATION_THREAD_PROFILE0x0006, "Thread Profile" },
318 { PROCMON_PROCESS_OPERATION_PROCESS_START0x0007, "Process Start" },
319 { PROCMON_PROCESS_OPERATION_PROCESS_STATISTICS0x0008, "Process Statistics" },
320 { PROCMON_PROCESS_OPERATION_SYSTEM_STATISTICS0x0009, "System Statistics" },
321 { 0, NULL((void*)0) }
322};
323
324
325static bool_Bool dissect_procmon_process_event(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, uint32_t operation, tvbuff_t* extra_details_tvb _U___attribute__((unused)))
326{
327 proto_tree* process_tree;
328 int offset = 0;
329 bool_Bool handle_extra_details = false0;
330
331 process_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_procmon_process_event, NULL((void*)0), "Process Data");
332
333 switch(operation) {
334 case PROCMON_PROCESS_OPERATION_DEFINED0x0000:
335 case PROCMON_PROCESS_OPERATION_CREATE0x0001:
336 {
337 bool_Bool is_path_ascii, is_commandline_ascii;
338 uint16_t path_char_count, commandline_char_count;
339
340 //Unknown fields
341 offset += 4;
342 proto_tree_add_item(process_tree, hf_procmon_process_pid, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
343 offset += 4;
344 //Unknown fields
345 offset += 36;
346 uint8_t unknown_size1 = tvb_get_uint8(tvb, offset);
347 offset += 1;
348 uint8_t unknown_size2 = tvb_get_uint8(tvb, offset);
349 offset += 1;
350 dissect_procmon_detail_string_info(tvb, process_tree, offset,
351 hf_procmon_process_path_size, hf_procmon_process_path_is_ascii, hf_procmon_process_path_char_count, ett_procmon_process_path,
352 &is_path_ascii, &path_char_count);
353 offset += 2;
354 dissect_procmon_detail_string_info(tvb, process_tree, offset,
355 hf_procmon_process_commandline_size, hf_procmon_process_commandline_is_ascii, hf_procmon_process_commandline_char_count, ett_procmon_process_commandline,
356 &is_commandline_ascii, &commandline_char_count);
357 offset += 2;
358 //Unknown fields
359 offset += 2;
360 offset += unknown_size1;
361 offset += unknown_size2;
362 offset = dissect_procmon_detail_string(tvb, process_tree, offset, is_path_ascii, path_char_count, hf_procmon_process_path);
363 offset = dissect_procmon_detail_string(tvb, process_tree, offset, is_commandline_ascii, commandline_char_count, hf_procmon_process_commandline);
364
365 break;
366 }
367 case PROCMON_PROCESS_OPERATION_EXIT0x0002:
368 {
369 proto_tree_add_item(process_tree, hf_procmon_process_exit_status, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
370 offset += 4;
371 proto_tree_add_item(process_tree, hf_procmon_process_kernel_time, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
372 offset += 8;
373 proto_tree_add_item(process_tree, hf_procmon_process_user_time, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
374 offset += 8;
375 proto_tree_add_item(process_tree, hf_procmon_process_working_set, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
376 offset += 8;
377 proto_tree_add_item(process_tree, hf_procmon_process_peak_working_set, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
378 offset += 8;
379 proto_tree_add_item(process_tree, hf_procmon_process_private_bytes, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
380 offset += 8;
381 proto_tree_add_item(process_tree, hf_procmon_process_peak_private_bytes, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
382 offset += 8;
383 break;
384 }
385 case PROCMON_PROCESS_OPERATION_THREAD_CREATE0x0003:
386 {
387 proto_tree_add_item(process_tree, hf_procmon_process_thread_id, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
388 offset += 4;
389 break;
390 }
391 case PROCMON_PROCESS_OPERATION_THREAD_EXIT0x0004:
392 case PROCMON_PROCESS_OPERATION_PROCESS_STATISTICS0x0008:
393 {
394 //Unknown fields
395 offset += 4;
396 proto_tree_add_item(process_tree, hf_procmon_process_kernel_time, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
397 offset += 8;
398 proto_tree_add_item(process_tree, hf_procmon_process_user_time, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
399 offset += 8;
400 break;
401 }
402 case PROCMON_PROCESS_OPERATION_LOAD_IMAGE0x0005:
403 {
404 bool_Bool is_path_ascii;
405 uint16_t path_char_count;
406
407 if (pinfo->pseudo_header->procmon.system_bitness)
408 {
409 proto_tree_add_item(process_tree, hf_procmon_process_image_base, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
410 offset += 8;
411 }
412 else
413 {
414 proto_tree_add_item(process_tree, hf_procmon_process_image_base, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
415 offset += 4;
416 }
417
418 proto_tree_add_item(process_tree, hf_procmon_process_image_size, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
419 offset += 4;
420 dissect_procmon_detail_string_info(tvb, process_tree, offset,
421 hf_procmon_process_path_size, hf_procmon_process_path_is_ascii, hf_procmon_process_path_char_count, ett_procmon_process_path,
422 &is_path_ascii, &path_char_count);
423 offset += 2;
424 //Unknown fields
425 offset += 2;
426 offset = dissect_procmon_detail_string(tvb, process_tree, offset, is_path_ascii, path_char_count, hf_procmon_process_path);
427 break;
428 }
429 case PROCMON_PROCESS_OPERATION_THREAD_PROFILE0x0006:
430 //Unknown
431 break;
432 case PROCMON_PROCESS_OPERATION_PROCESS_START0x0007:
433 {
434 bool_Bool is_commandline_ascii, is_curdir_ascii;
435 uint16_t commandline_char_count, curdir_char_count;
436 uint32_t environment_char_count;
437
438 proto_tree_add_item(process_tree, hf_procmon_process_parent_pid, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
439 offset += 4;
440 dissect_procmon_detail_string_info(tvb, process_tree, offset,
441 hf_procmon_process_commandline_size, hf_procmon_process_commandline_is_ascii, hf_procmon_process_commandline_char_count, ett_procmon_process_commandline,
442 &is_commandline_ascii, &commandline_char_count);
443 offset += 2;
444 dissect_procmon_detail_string_info(tvb, process_tree, offset,
445 hf_procmon_process_curdir_size, hf_procmon_process_curdir_is_ascii, hf_procmon_process_curdir_char_count, ett_procmon_process_curdir,
446 &is_curdir_ascii, &curdir_char_count);
447 offset += 2;
448 proto_tree_add_item_ret_uint(process_tree, hf_procmon_process_environment_char_count, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &environment_char_count);
449 offset += 4;
450 offset = dissect_procmon_detail_string(tvb, process_tree, offset, is_commandline_ascii, commandline_char_count, hf_procmon_process_commandline);
451 offset = dissect_procmon_detail_string(tvb, process_tree, offset, is_curdir_ascii, curdir_char_count, hf_procmon_process_curdir);
452 proto_tree_add_item(process_tree, hf_procmon_process_environment, tvb, offset, environment_char_count*2, ENC_UTF_160x00000004|ENC_LITTLE_ENDIAN0x80000000);
453 break;
454 }
455 case PROCMON_PROCESS_OPERATION_SYSTEM_STATISTICS0x0009:
456 //Unknown
457 break;
458 }
459 return handle_extra_details;
460}
461
462#define PROCMON_REGISTRY_OPERATION_OPEN_KEY0x0000 0x0000
463#define PROCMON_REGISTRY_OPERATION_CREATE_KEY0x0001 0x0001
464#define PROCMON_REGISTRY_OPERATION_CLOSE_KEY0x0002 0x0002
465#define PROCMON_REGISTRY_OPERATION_QUERY_KEY0x0003 0x0003
466#define PROCMON_REGISTRY_OPERATION_SET_VALUE0x0004 0x0004
467#define PROCMON_REGISTRY_OPERATION_QUERY_VALUE0x0005 0x0005
468#define PROCMON_REGISTRY_OPERATION_ENUM_VALUE0x0006 0x0006
469#define PROCMON_REGISTRY_OPERATION_ENUM_KEY0x0007 0x0007
470#define PROCMON_REGISTRY_OPERATION_SET_INFO_KEY0x0008 0x0008
471#define PROCMON_REGISTRY_OPERATION_DELETE_KEY0x0009 0x0009
472#define PROCMON_REGISTRY_OPERATION_DELETE_VALUE0x000A 0x000A
473#define PROCMON_REGISTRY_OPERATION_FLUSH_KEY0x000B 0x000B
474#define PROCMON_REGISTRY_OPERATION_LOAD_KEY0x000C 0x000C
475#define PROCMON_REGISTRY_OPERATION_UNLOAD_KEY0x000D 0x000D
476#define PROCMON_REGISTRY_OPERATION_RENAME_KEY0x000E 0x000E
477#define PROCMON_REGISTRY_OPERATION_QUERY_MULTIPLE_VALUE0x000F 0x000F
478#define PROCMON_REGISTRY_OPERATION_SET_KEY_SECURITY0x0010 0x0010
479#define PROCMON_REGISTRY_OPERATION_QUERY_KEY_SECURITY0x0011 0x0011
480
481static const value_string registry_operation_vals[] = {
482 { PROCMON_REGISTRY_OPERATION_OPEN_KEY0x0000, "Open Key" },
483 { PROCMON_REGISTRY_OPERATION_CREATE_KEY0x0001, "Create Key" },
484 { PROCMON_REGISTRY_OPERATION_CLOSE_KEY0x0002, "Close Key" },
485 { PROCMON_REGISTRY_OPERATION_QUERY_KEY0x0003, "Query Key" },
486 { PROCMON_REGISTRY_OPERATION_SET_VALUE0x0004, "Set Value" },
487 { PROCMON_REGISTRY_OPERATION_QUERY_VALUE0x0005, "Query Value" },
488 { PROCMON_REGISTRY_OPERATION_ENUM_VALUE0x0006, "Enum Value" },
489 { PROCMON_REGISTRY_OPERATION_ENUM_KEY0x0007, "Enum Key" },
490 { PROCMON_REGISTRY_OPERATION_SET_INFO_KEY0x0008, "Set Info Key" },
491 { PROCMON_REGISTRY_OPERATION_DELETE_KEY0x0009, "Delete Key" },
492 { PROCMON_REGISTRY_OPERATION_DELETE_VALUE0x000A, "Delete Value" },
493 { PROCMON_REGISTRY_OPERATION_FLUSH_KEY0x000B, "Flush Key" },
494 { PROCMON_REGISTRY_OPERATION_LOAD_KEY0x000C, "Load Key" },
495 { PROCMON_REGISTRY_OPERATION_UNLOAD_KEY0x000D, "Unload Key" },
496 { PROCMON_REGISTRY_OPERATION_RENAME_KEY0x000E, "Rename Key" },
497 { PROCMON_REGISTRY_OPERATION_QUERY_MULTIPLE_VALUE0x000F, "Query Multiple Value" },
498 { PROCMON_REGISTRY_OPERATION_SET_KEY_SECURITY0x0010, "Set Key Security" },
499 { PROCMON_REGISTRY_OPERATION_QUERY_KEY_SECURITY0x0011, "Query Key Security" },
500 { 0, NULL((void*)0) }
501};
502
503#define PROCMON_REGISTRY_KEY_INFORMATION_CLASS_BASIC0 0
504#define PROCMON_REGISTRY_KEY_INFORMATION_CLASS_NODE1 1
505#define PROCMON_REGISTRY_KEY_INFORMATION_CLASS_FULL2 2
506#define PROCMON_REGISTRY_KEY_INFORMATION_CLASS_NAME3 3
507#define PROCMON_REGISTRY_KEY_INFORMATION_CLASS_CACHED4 4
508#define PROCMON_REGISTRY_KEY_INFORMATION_CLASS_FLAGS5 5
509#define PROCMON_REGISTRY_KEY_INFORMATION_CLASS_VIRTUALIZATION6 6
510#define PROCMON_REGISTRY_KEY_INFORMATION_CLASS_HANDLE_TAGS7 7
511#define PROCMON_REGISTRY_KEY_INFORMATION_CLASS_TRUST8 8
512#define PROCMON_REGISTRY_KEY_INFORMATION_CLASS_LAYER9 9
513
514static const value_string registry_key_information_class_vals[] = {
515 { PROCMON_REGISTRY_KEY_INFORMATION_CLASS_BASIC0, "Basic" },
516 { PROCMON_REGISTRY_KEY_INFORMATION_CLASS_NODE1, "Node" },
517 { PROCMON_REGISTRY_KEY_INFORMATION_CLASS_FULL2, "Full" },
518 { PROCMON_REGISTRY_KEY_INFORMATION_CLASS_NAME3, "Name" },
519 { PROCMON_REGISTRY_KEY_INFORMATION_CLASS_CACHED4, "Cached" },
520 { PROCMON_REGISTRY_KEY_INFORMATION_CLASS_FLAGS5, "Flags" },
521 { PROCMON_REGISTRY_KEY_INFORMATION_CLASS_VIRTUALIZATION6, "Virtualization" },
522 { PROCMON_REGISTRY_KEY_INFORMATION_CLASS_HANDLE_TAGS7, "Handle Tags" },
523 { PROCMON_REGISTRY_KEY_INFORMATION_CLASS_TRUST8, "Trust" },
524 { PROCMON_REGISTRY_KEY_INFORMATION_CLASS_LAYER9, "Layer" },
525 { 0, NULL((void*)0) }
526};
527
528#define PROCMON_REGISTRY_KEY_SET_INFORMATION_WRITE_TIME_INFO0 0
529#define PROCMON_REGISTRY_KEY_SET_INFORMATION_WOW64_FLAGS_INFO1 1
530#define PROCMON_REGISTRY_KEY_SET_INFORMATION_HANDLE_TAGS_INFO2 2
531
532static const value_string registry_value_set_information_class_vals[] = {
533 { PROCMON_REGISTRY_KEY_SET_INFORMATION_WRITE_TIME_INFO0, "Write Time" },
534 { PROCMON_REGISTRY_KEY_SET_INFORMATION_WOW64_FLAGS_INFO1, "WOW64 Flags" },
535 { PROCMON_REGISTRY_KEY_SET_INFORMATION_HANDLE_TAGS_INFO2, "Set Handle Tags" },
536 { 0, NULL((void*)0) }
537};
538
539
540
541#define PROCMON_REGISTRY_VALUE_INFORMATION_CLASS_BASIC0 0
542#define PROCMON_REGISTRY_VALUE_INFORMATION_CLASS_FULL1 1
543#define PROCMON_REGISTRY_VALUE_INFORMATION_CLASS_PARTIAL2 2
544#define PROCMON_REGISTRY_VALUE_INFORMATION_CLASS_FULL_ALIGN643 3
545#define PROCMON_REGISTRY_VALUE_INFORMATION_CLASS_PARTIAL_ALIGN644 4
546#define PROCMON_REGISTRY_VALUE_INFORMATION_CLASS_LAYER5 5
547
548static const value_string registry_value_information_class_vals[] = {
549 { PROCMON_REGISTRY_VALUE_INFORMATION_CLASS_BASIC0, "Basic" },
550 { PROCMON_REGISTRY_VALUE_INFORMATION_CLASS_FULL1, "Full" },
551 { PROCMON_REGISTRY_VALUE_INFORMATION_CLASS_PARTIAL2, "Partial" },
552 { PROCMON_REGISTRY_VALUE_INFORMATION_CLASS_FULL_ALIGN643, "Full Align64" },
553 { PROCMON_REGISTRY_VALUE_INFORMATION_CLASS_PARTIAL_ALIGN644, "Partial Align64" },
554 { PROCMON_REGISTRY_VALUE_INFORMATION_CLASS_LAYER5, "Layer" },
555 { 0, NULL((void*)0) }
556};
557
558#define PROCMON_REGISTRY_DISPOSITION_CREATED_NEW_KEY1 1
559#define PROCMON_REGISTRY_DISPOSITION_OPENED_EXISTING_KEY2 2
560
561static const value_string registry_disposition_vals[] = {
562 { PROCMON_REGISTRY_DISPOSITION_CREATED_NEW_KEY1, "Created Key" },
563 { PROCMON_REGISTRY_DISPOSITION_OPENED_EXISTING_KEY2, "Open Existing" },
564 { 0, NULL((void*)0) }
565};
566
567static int procmon_registry_query_or_enum_key_extra_details(proto_tree* tree, tvbuff_t* tvb, uint32_t information_class)
568{
569 uint32_t name_size;
570 nstime_t timestamp;
571 int offset = 0;
572
573 switch (information_class)
574 {
575 case PROCMON_REGISTRY_KEY_INFORMATION_CLASS_NAME3:
576 proto_tree_add_item_ret_uint(tree, hf_procmon_registry_key_name_size, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &name_size);
577 offset += 4;
578 proto_tree_add_item(tree, hf_procmon_registry_key_name, tvb, offset, name_size, ENC_UTF_160x00000004 | ENC_LITTLE_ENDIAN0x80000000);
579 offset += name_size;
580 break;
581
582 case PROCMON_REGISTRY_KEY_INFORMATION_CLASS_HANDLE_TAGS7:
583 proto_tree_add_item(tree, hf_procmon_registry_key_handle_tags, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
584 offset += 4;
585 break;
586
587 case PROCMON_REGISTRY_KEY_INFORMATION_CLASS_FLAGS5:
588 proto_tree_add_item(tree, hf_procmon_registry_key_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
589 offset += 4;
590 break;
591
592 case PROCMON_REGISTRY_KEY_INFORMATION_CLASS_CACHED4:
593 filetime_to_nstime(&timestamp, tvb_get_letoh64(tvb, offset));
594 proto_tree_add_time(tree, hf_procmon_registry_key_last_write_time, tvb, offset, 8, &timestamp);
595 offset += 8;
596 proto_tree_add_item(tree, hf_procmon_registry_key_title_index, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
597 offset += 4;
598 proto_tree_add_item(tree, hf_procmon_registry_key_subkeys, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
599 offset += 4;
600 proto_tree_add_item(tree, hf_procmon_registry_key_max_name_len, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
601 offset += 4;
602 proto_tree_add_item(tree, hf_procmon_registry_key_values, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
603 offset += 4;
604 proto_tree_add_item(tree, hf_procmon_registry_key_max_value_name_len, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
605 offset += 4;
606 proto_tree_add_item(tree, hf_procmon_registry_key_max_value_data_len, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
607 offset += 4;
608 break;
609
610 case PROCMON_REGISTRY_KEY_INFORMATION_CLASS_BASIC0:
611 filetime_to_nstime(&timestamp, tvb_get_letoh64(tvb, offset));
612 proto_tree_add_time(tree, hf_procmon_registry_key_last_write_time, tvb, offset, 8, &timestamp);
613 offset += 8;
614 proto_tree_add_item(tree, hf_procmon_registry_key_title_index, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
615 offset += 4;
616 proto_tree_add_item_ret_uint(tree, hf_procmon_registry_key_name_size, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &name_size);
617 offset += 4;
618 proto_tree_add_item(tree, hf_procmon_registry_key_name, tvb, offset, name_size, ENC_UTF_160x00000004 | ENC_LITTLE_ENDIAN0x80000000);
619 offset += name_size;
620 break;
621
622 case PROCMON_REGISTRY_KEY_INFORMATION_CLASS_FULL2:
623 filetime_to_nstime(&timestamp, tvb_get_letoh64(tvb, offset));
624 proto_tree_add_time(tree, hf_procmon_registry_key_last_write_time, tvb, offset, 8, &timestamp);
625 offset += 8;
626 proto_tree_add_item(tree, hf_procmon_registry_key_title_index, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
627 offset += 4;
628 proto_tree_add_item(tree, hf_procmon_registry_key_class_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
629 offset += 4;
630 proto_tree_add_item(tree, hf_procmon_registry_key_class_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
631 offset += 4;
632 proto_tree_add_item(tree, hf_procmon_registry_key_subkeys, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
633 offset += 4;
634 proto_tree_add_item(tree, hf_procmon_registry_key_max_name_len, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
635 offset += 4;
636 proto_tree_add_item(tree, hf_procmon_registry_key_max_class_len, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
637 offset += 4;
638 proto_tree_add_item(tree, hf_procmon_registry_key_values, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
639 offset += 4;
640 proto_tree_add_item(tree, hf_procmon_registry_key_max_value_name_len, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
641 offset += 4;
642 proto_tree_add_item(tree, hf_procmon_registry_key_max_value_data_len, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
643 offset += 4;
644 break;
645
646 case PROCMON_REGISTRY_KEY_INFORMATION_CLASS_NODE1:
647 filetime_to_nstime(&timestamp, tvb_get_letoh64(tvb, offset));
648 proto_tree_add_time(tree, hf_procmon_registry_key_last_write_time, tvb, offset, 8, &timestamp);
649 offset += 8;
650 proto_tree_add_item(tree, hf_procmon_registry_key_title_index, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
651 offset += 4;
652 proto_tree_add_item(tree, hf_procmon_registry_key_class_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
653 offset += 4;
654 proto_tree_add_item(tree, hf_procmon_registry_key_class_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
655 offset += 4;
656 proto_tree_add_item_ret_uint(tree, hf_procmon_registry_key_name_size, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &name_size);
657 offset += 4;
658 proto_tree_add_item(tree, hf_procmon_registry_key_name, tvb, offset, name_size, ENC_UTF_160x00000004 | ENC_LITTLE_ENDIAN0x80000000);
659 offset += name_size;
660 break;
661
662 case PROCMON_REGISTRY_KEY_INFORMATION_CLASS_VIRTUALIZATION6:
663 case PROCMON_REGISTRY_KEY_INFORMATION_CLASS_TRUST8:
664 case PROCMON_REGISTRY_KEY_INFORMATION_CLASS_LAYER9:
665 //No extra data (or unknown)
666 break;
667 }
668
669 return offset;
670}
671
672#define PROCMON_REGISTRY_VALUE_REG_TYPE_NONE0 0
673#define PROCMON_REGISTRY_VALUE_REG_TYPE_SZ1 1
674#define PROCMON_REGISTRY_VALUE_REG_TYPE_EXPAND_SZ2 2
675#define PROCMON_REGISTRY_VALUE_REG_TYPE_BINARY3 3
676#define PROCMON_REGISTRY_VALUE_REG_TYPE_DWORD4 4
677#define PROCMON_REGISTRY_VALUE_REG_TYPE_DWORD_BIG_ENDIAN5 5
678#define PROCMON_REGISTRY_VALUE_REG_TYPE_LINK6 6
679#define PROCMON_REGISTRY_VALUE_REG_TYPE_MULTI_SZ7 7
680#define PROCMON_REGISTRY_VALUE_REG_TYPE_RESOURCE_LIST8 8
681#define PROCMON_REGISTRY_VALUE_REG_TYPE_FULL_RESOURCE_DESCRIPTOR9 9
682#define PROCMON_REGISTRY_VALUE_REG_TYPE_RESOURCE_REQUIREMENTS_LIST10 10
683#define PROCMON_REGISTRY_VALUE_REG_TYPE_QWORD11 11
684#define PROCMON_REGISTRY_VALUE_REG_TYPE_QWORD_BIG_ENDIAN12 12
685
686static const value_string registry_value_reg_type_vals[] = {
687 { PROCMON_REGISTRY_VALUE_REG_TYPE_NONE0, "REG_NONE" },
688 { PROCMON_REGISTRY_VALUE_REG_TYPE_SZ1, "REG_SZ" },
689 { PROCMON_REGISTRY_VALUE_REG_TYPE_EXPAND_SZ2, "REG_EXPAND_SZ" },
690 { PROCMON_REGISTRY_VALUE_REG_TYPE_BINARY3, "REG_BINARY" },
691 { PROCMON_REGISTRY_VALUE_REG_TYPE_DWORD4, "REG_DWORD" },
692 { PROCMON_REGISTRY_VALUE_REG_TYPE_DWORD_BIG_ENDIAN5, "REG_DWORD_BIG_ENDIAN" },
693 { PROCMON_REGISTRY_VALUE_REG_TYPE_LINK6, "REG_LINK" },
694 { PROCMON_REGISTRY_VALUE_REG_TYPE_MULTI_SZ7, "REG_MULTI_SZ" },
695 { PROCMON_REGISTRY_VALUE_REG_TYPE_RESOURCE_LIST8, "REG_RESOURCE_LIST" },
696 { PROCMON_REGISTRY_VALUE_REG_TYPE_FULL_RESOURCE_DESCRIPTOR9, "REG_FULL_RESOURCE_DESCRIPTOR" },
697 { PROCMON_REGISTRY_VALUE_REG_TYPE_RESOURCE_REQUIREMENTS_LIST10, "REG_RESOURCE_REQUIREMENTS_LIST" },
698 { PROCMON_REGISTRY_VALUE_REG_TYPE_QWORD11, "REG_QWORD" },
699 { PROCMON_REGISTRY_VALUE_REG_TYPE_QWORD_BIG_ENDIAN12, "REG_QWORD_BIG_ENDIAN" },
700 { 0, NULL((void*)0) }
701};
702
703static int procmon_read_registry_data(proto_tree* tree, packet_info* pinfo, tvbuff_t* tvb, int offset, uint32_t type, uint32_t length)
704{
705 switch (type)
706 {
707 case PROCMON_REGISTRY_VALUE_REG_TYPE_DWORD4:
708 proto_tree_add_item(tree, hf_procmon_registry_value_dword, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
709 offset += 4;
710 break;
711 case PROCMON_REGISTRY_VALUE_REG_TYPE_QWORD11:
712 proto_tree_add_item(tree, hf_procmon_registry_value_qword, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
713 offset += 8;
714 break;
715 case PROCMON_REGISTRY_VALUE_REG_TYPE_SZ1:
716 case PROCMON_REGISTRY_VALUE_REG_TYPE_EXPAND_SZ2:
717 proto_tree_add_item(tree, hf_procmon_registry_value_sz, tvb, offset, -1, ENC_UTF_160x00000004 | ENC_LITTLE_ENDIAN0x80000000);
718 offset += tvb_reported_length(tvb);
719 break;
720 case PROCMON_REGISTRY_VALUE_REG_TYPE_BINARY3:
721 proto_tree_add_item(tree, hf_procmon_registry_value_binary, tvb, offset, -1, ENC_NA0x00000000);
722 offset += tvb_reported_length(tvb);
723 break;
724 case PROCMON_REGISTRY_VALUE_REG_TYPE_MULTI_SZ7:
725 {
726 int str_length;
727 int start_offset = offset;
728 uint8_t* substring;
729 wmem_strbuf_t* full_string = wmem_strbuf_new(pinfo->pool, "");
730
731 while (((substring = tvb_get_stringz_enc(pinfo->pool, tvb, offset, &str_length, ENC_UTF_160x00000004 | ENC_LITTLE_ENDIAN0x80000000)) != NULL((void*)0)) && (strlen(substring) > 0))
732 {
733 wmem_strbuf_append_printf(full_string, " %s", substring);
734 offset += str_length;
735 }
736 //Include the NULL string at the end of the list
737 offset += 2;
738
739 proto_tree_add_string(tree, hf_procmon_registry_value_multi_sz, tvb, start_offset, offset - start_offset, wmem_strbuf_get_str(full_string));
740 offset += length;
741 break;
742 }
743 }
744
745 return offset;
746}
747
748static int procmon_registry_query_or_enum_value_extra_details(proto_tree* tree, packet_info* pinfo, tvbuff_t* tvb, uint32_t information_class)
749{
750 int offset = 0;
751 uint32_t length = 0, type, name_size;
752
753 //Unknown fields
754 offset += 4;
755
756 proto_tree_add_item_ret_uint(tree, hf_procmon_registry_value_reg_type, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &type);
757 offset += 4;
758
759 switch (information_class)
760 {
761 case PROCMON_REGISTRY_VALUE_INFORMATION_CLASS_FULL1:
762 proto_tree_add_item(tree, hf_procmon_registry_value_offset_to_data, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
763 offset += 4;
764 proto_tree_add_item_ret_uint(tree, hf_procmon_registry_value_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &length);
765 offset += 4;
766 proto_tree_add_item_ret_uint(tree, hf_procmon_registry_value_name_size, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &name_size);
767 offset += 4;
768 proto_tree_add_item(tree, hf_procmon_registry_value_name, tvb, offset, name_size, ENC_UTF_160x00000004 | ENC_LITTLE_ENDIAN0x80000000);
769 offset += name_size;
770 break;
771 case PROCMON_REGISTRY_VALUE_INFORMATION_CLASS_PARTIAL2:
772 proto_tree_add_item_ret_uint(tree, hf_procmon_registry_value_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &length);
773 offset += 4;
774 break;
775 }
776
777 if (length > 0)
778 offset += procmon_read_registry_data(tree, pinfo, tvb, offset, type, length);
779
780 return offset;
781}
782
783static bool_Bool dissect_procmon_registry_event(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, uint32_t operation, tvbuff_t* extra_details_tvb)
784{
785 proto_tree* registry_tree;
786 int offset = 0, extra_offset = 0;
787 bool_Bool is_value_ascii, is_new_value_ascii;
788 uint32_t information_class, type;
789 uint16_t value_char_count, new_value_char_count;
790 uint32_t registry_access_mask_mapping[4] = { 0x20019, 0x20006, 0x20019, 0xf003f };
791
792 registry_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_procmon_registry_event, NULL((void*)0), "Registry Data");
793
794 switch(operation) {
795 case PROCMON_REGISTRY_OPERATION_OPEN_KEY0x0000:
796 case PROCMON_REGISTRY_OPERATION_CREATE_KEY0x0001:
797 {
798 static const value_string desired_access_vals[] = {
799 {0xf003f, "All Access"},
800 {0x2001f, "Read/Write"},
801 {0x20019, "Read"},
802 {0x20006, "Write"},
803 {0x1, "Query Value"},
804 {0x2, "Set Value"},
805 {0x4, "Create Sub Key"},
806 {0x8, "Enumerate Sub Keys"},
807 {0x10, "Notify"},
808 {0x20, "Create Link"},
809 {0x300, "WOW64_Res"},
810 {0x200, "WOW64_32Key"},
811 {0x100, "WOW64_64Key"},
812 {0x10000, "Delete"},
813 {0x20000, "Read Control"},
814 {0x40000, "Write DAC"},
815 {0x80000, "Write Owner"},
816 {0x100000, "Synchronize"},
817 {0x1000000, "Access System Security"},
818 {0x2000000, "Maximum Allowed"},
819 { 0, NULL((void*)0) }
820 };
821 uint32_t desired_access;
822
823 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
824 hf_procmon_registry_key_size, hf_procmon_registry_key_is_ascii, hf_procmon_registry_key_char_count, ett_procmon_registry_key,
825 &is_value_ascii, &value_char_count);
826 offset += 2;
827
828 //Unknown fields
829 offset += 2;
830
831 desired_access = tvb_get_letohl(tvb, offset);
832 dissect_procmon_access_mask(tvb, pinfo, registry_tree, offset, hf_procmon_registry_desired_access, 4, registry_access_mask_mapping, desired_access_vals);
833 offset += 4;
834 offset = dissect_procmon_detail_string(tvb, registry_tree, offset, is_value_ascii, value_char_count, hf_procmon_registry_key);
Value stored to 'offset' is never read
835
836 if (tvb_reported_length(extra_details_tvb) > 0)
837 {
838 if (desired_access & 0x2000000)
839 dissect_procmon_access_mask(extra_details_tvb, pinfo, registry_tree, extra_offset, hf_procmon_registry_granted_access, 4, registry_access_mask_mapping, desired_access_vals);
840
841 extra_offset += 4;
842 proto_tree_add_item(registry_tree, hf_procmon_registry_disposition, extra_details_tvb, extra_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
843 extra_offset += 4;
844 }
845 break;
846 }
847 case PROCMON_REGISTRY_OPERATION_CLOSE_KEY0x0002:
848 case PROCMON_REGISTRY_OPERATION_FLUSH_KEY0x000B:
849 case PROCMON_REGISTRY_OPERATION_UNLOAD_KEY0x000D:
850 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
851 hf_procmon_registry_key_size, hf_procmon_registry_key_is_ascii, hf_procmon_registry_key_char_count, ett_procmon_registry_key,
852 &is_value_ascii, &value_char_count);
853 offset += 2;
854 offset = dissect_procmon_detail_string(tvb, registry_tree, offset, is_value_ascii, value_char_count, hf_procmon_registry_key);
855 break;
856
857 case PROCMON_REGISTRY_OPERATION_QUERY_KEY0x0003:
858 {
859 proto_item* info_item;
860 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
861 hf_procmon_registry_key_size, hf_procmon_registry_key_is_ascii, hf_procmon_registry_key_char_count, ett_procmon_registry_key,
862 &is_value_ascii, &value_char_count);
863 offset += 2;
864
865 //Unknown fields
866 offset += 2;
867
868 proto_tree_add_item(registry_tree, hf_procmon_registry_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
869 offset += 4;
870 info_item = proto_tree_add_item_ret_uint(registry_tree, hf_procmon_registry_key_information_class, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &information_class);
871 if (try_val_to_str(information_class, registry_key_information_class_vals) == NULL((void*)0))
872 expert_add_info_format(pinfo, info_item, &ei_procmon_unknown_operation, "Unknown Registry Key Information Class: %u", information_class);
873 offset += 4;
874 offset = dissect_procmon_detail_string(tvb, registry_tree, offset, is_value_ascii, value_char_count, hf_procmon_registry_key);
875 if (tvb_reported_length(extra_details_tvb) > 0)
876 extra_offset += procmon_registry_query_or_enum_key_extra_details(registry_tree, extra_details_tvb, information_class);
877 break;
878 }
879 case PROCMON_REGISTRY_OPERATION_QUERY_VALUE0x0005:
880 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
881 hf_procmon_registry_value_size, hf_procmon_registry_value_is_ascii, hf_procmon_registry_value_char_count, ett_procmon_registry_value,
882 &is_value_ascii, &value_char_count);
883 offset += 2;
884
885 //Unknown fields
886 offset += 2;
887
888 proto_tree_add_item(registry_tree, hf_procmon_registry_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
889 offset += 4;
890 proto_tree_add_item_ret_uint(registry_tree, hf_procmon_registry_value_information_class, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &information_class);
891 offset += 4;
892 offset = dissect_procmon_detail_string(tvb, registry_tree, offset, is_value_ascii, value_char_count, hf_procmon_registry_value);
893 if (tvb_reported_length(extra_details_tvb) > 0)
894 extra_offset += procmon_registry_query_or_enum_value_extra_details(registry_tree, pinfo, extra_details_tvb, information_class);
895 break;
896
897 case PROCMON_REGISTRY_OPERATION_ENUM_KEY0x0007:
898 {
899 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
900 hf_procmon_registry_key_size, hf_procmon_registry_key_is_ascii, hf_procmon_registry_key_char_count, ett_procmon_registry_key,
901 &is_value_ascii, &value_char_count);
902 offset += 2;
903
904 //Unknown fields
905 offset += 2;
906
907 proto_tree_add_item(registry_tree, hf_procmon_registry_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
908 offset += 4;
909 proto_tree_add_item(registry_tree, hf_procmon_registry_index, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
910 offset += 4;
911 proto_tree_add_item_ret_uint(registry_tree, hf_procmon_registry_key_information_class, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &information_class);
912 offset += 4;
913 offset = dissect_procmon_detail_string(tvb, registry_tree, offset, is_value_ascii, value_char_count, hf_procmon_registry_key);
914 if (tvb_reported_length(extra_details_tvb) > 0)
915 extra_offset += procmon_registry_query_or_enum_key_extra_details(registry_tree, extra_details_tvb, information_class);
916 break;
917 }
918 case PROCMON_REGISTRY_OPERATION_ENUM_VALUE0x0006:
919 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
920 hf_procmon_registry_value_size, hf_procmon_registry_value_is_ascii, hf_procmon_registry_value_char_count, ett_procmon_registry_value,
921 &is_value_ascii, &value_char_count);
922 offset += 2;
923
924 //Unknown fields
925 offset += 2;
926
927 proto_tree_add_item(registry_tree, hf_procmon_registry_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
928 offset += 4;
929 proto_tree_add_item(registry_tree, hf_procmon_registry_index, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
930 offset += 4;
931 proto_tree_add_item_ret_uint(registry_tree, hf_procmon_registry_value_information_class, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &information_class);
932 offset += 4;
933 offset = dissect_procmon_detail_string(tvb, registry_tree, offset, is_value_ascii, value_char_count, hf_procmon_registry_value);
934 if (tvb_reported_length(extra_details_tvb) > 0)
935 extra_offset += procmon_registry_query_or_enum_value_extra_details(registry_tree, pinfo, extra_details_tvb, information_class);
936 break;
937
938 case PROCMON_REGISTRY_OPERATION_SET_VALUE0x0004:
939 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
940 hf_procmon_registry_value_size, hf_procmon_registry_value_is_ascii, hf_procmon_registry_value_char_count, ett_procmon_registry_value,
941 &is_value_ascii, &value_char_count);
942 offset += 2;
943
944 //Unknown fields
945 offset += 2;
946
947 proto_tree_add_item_ret_uint(registry_tree, hf_procmon_registry_type, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &type);
948 offset += 4;
949 proto_tree_add_item(registry_tree, hf_procmon_registry_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
950 offset += 4;
951 proto_tree_add_item(registry_tree, hf_procmon_registry_data_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
952 offset += 4;
953 offset = dissect_procmon_detail_string(tvb, registry_tree, offset, is_value_ascii, value_char_count, hf_procmon_registry_value);
954 if (tvb_reported_length(extra_details_tvb) > 0)
955 extra_offset += procmon_read_registry_data(registry_tree, pinfo, extra_details_tvb, extra_offset, type, tvb_reported_length(extra_details_tvb));
956 break;
957 case PROCMON_REGISTRY_OPERATION_SET_INFO_KEY0x0008:
958 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
959 hf_procmon_registry_key_size, hf_procmon_registry_key_is_ascii, hf_procmon_registry_key_char_count, ett_procmon_registry_key,
960 &is_value_ascii, &value_char_count);
961 offset += 2;
962
963 //Unknown fields
964 offset += 2;
965
966 proto_tree_add_item_ret_uint(registry_tree, hf_procmon_registry_key_set_information_class, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &information_class);
967 offset += 4;
968
969 //Unknown fields
970 offset += 4;
971
972 proto_tree_add_item(registry_tree, hf_procmon_registry_length, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
973 offset += 2;
974
975 //Unknown fields
976 offset += 2;
977
978 offset = dissect_procmon_detail_string(tvb, registry_tree, offset, is_value_ascii, value_char_count, hf_procmon_registry_key);
979
980 if (tvb_reported_length(extra_details_tvb) > 0)
981 {
982 switch (information_class)
983 {
984 case PROCMON_REGISTRY_KEY_SET_INFORMATION_WRITE_TIME_INFO0:
985 {
986 nstime_t timestamp;
987 filetime_to_nstime(&timestamp, tvb_get_letoh64(extra_details_tvb, offset));
988 proto_tree_add_time(registry_tree, hf_procmon_registry_key_set_information_write_time, extra_details_tvb, extra_offset, 8, &timestamp);
989 extra_offset += 8;
990 break;
991 }
992 case PROCMON_REGISTRY_KEY_SET_INFORMATION_WOW64_FLAGS_INFO1:
993 proto_tree_add_item(registry_tree, hf_procmon_registry_key_set_information_wow64_flags, extra_details_tvb, extra_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
994 extra_offset += 4;
995 break;
996 case PROCMON_REGISTRY_KEY_SET_INFORMATION_HANDLE_TAGS_INFO2:
997 proto_tree_add_item(registry_tree, hf_procmon_registry_key_set_information_handle_tags, extra_details_tvb, extra_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
998 extra_offset += 4;
999 break;
1000 }
1001 }
1002 break;
1003
1004 case PROCMON_REGISTRY_OPERATION_DELETE_KEY0x0009:
1005 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
1006 hf_procmon_registry_key_size, hf_procmon_registry_key_is_ascii, hf_procmon_registry_key_char_count, ett_procmon_registry_key,
1007 &is_value_ascii, &value_char_count);
1008 offset += 2;
1009 offset = dissect_procmon_detail_string(tvb, registry_tree, offset, is_value_ascii, value_char_count, hf_procmon_registry_key);
1010 break;
1011
1012 case PROCMON_REGISTRY_OPERATION_DELETE_VALUE0x000A:
1013 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
1014 hf_procmon_registry_value_size, hf_procmon_registry_value_is_ascii, hf_procmon_registry_value_char_count, ett_procmon_registry_value,
1015 &is_value_ascii, &value_char_count);
1016 offset += 2;
1017
1018 offset = dissect_procmon_detail_string(tvb, registry_tree, offset, is_value_ascii, value_char_count, hf_procmon_registry_value);
1019 break;
1020
1021 case PROCMON_REGISTRY_OPERATION_LOAD_KEY0x000C:
1022 case PROCMON_REGISTRY_OPERATION_RENAME_KEY0x000E:
1023 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
1024 hf_procmon_registry_key_size, hf_procmon_registry_key_is_ascii, hf_procmon_registry_key_char_count, ett_procmon_registry_key,
1025 &is_value_ascii, &value_char_count);
1026 offset += 2;
1027 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
1028 hf_procmon_registry_new_key_size, hf_procmon_registry_new_key_is_ascii, hf_procmon_registry_new_key_char_count, ett_procmon_registry_new_key,
1029 &is_new_value_ascii, &new_value_char_count);
1030 offset += 2;
1031 offset = dissect_procmon_detail_string(tvb, registry_tree, offset, is_value_ascii, value_char_count, hf_procmon_registry_key);
1032 extra_offset += dissect_procmon_detail_string(extra_details_tvb, registry_tree, extra_offset, is_new_value_ascii, new_value_char_count, hf_procmon_registry_new_key);
1033 break;
1034
1035 case PROCMON_REGISTRY_OPERATION_QUERY_MULTIPLE_VALUE0x000F:
1036 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
1037 hf_procmon_registry_value_size, hf_procmon_registry_value_is_ascii, hf_procmon_registry_value_char_count, ett_procmon_registry_value,
1038 &is_value_ascii, &value_char_count);
1039 offset += 2;
1040
1041 offset = dissect_procmon_detail_string(tvb, registry_tree, offset, is_value_ascii, value_char_count, hf_procmon_registry_value);
1042 break;
1043
1044 case PROCMON_REGISTRY_OPERATION_SET_KEY_SECURITY0x0010:
1045 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
1046 hf_procmon_registry_key_size, hf_procmon_registry_key_is_ascii, hf_procmon_registry_key_char_count, ett_procmon_registry_key,
1047 &is_value_ascii, &value_char_count);
1048 offset += 2;
1049 offset = dissect_procmon_detail_string(tvb, registry_tree, offset, is_value_ascii, value_char_count, hf_procmon_registry_key);
1050 break;
1051
1052 case PROCMON_REGISTRY_OPERATION_QUERY_KEY_SECURITY0x0011:
1053 dissect_procmon_detail_string_info(tvb, registry_tree, offset,
1054 hf_procmon_registry_key_size, hf_procmon_registry_key_is_ascii, hf_procmon_registry_key_char_count, ett_procmon_registry_key,
1055 &is_value_ascii, &value_char_count);
1056 offset += 2;
1057 offset = dissect_procmon_detail_string(tvb, registry_tree, offset, is_value_ascii, value_char_count, hf_procmon_registry_key);
1058 break;
1059 }
1060
1061 return (extra_offset != 0);
1062}
1063
1064#define PROCMON_FILESYSTEM_OPERATION_VOLUME_DISMOUNT0 0
1065#define PROCMON_FILESYSTEM_OPERATION_VOLUME_MOUNT1 1
1066#define PROCMON_FILESYSTEM_OPERATION_FASTIO_MDL_WRITE_COMPLETE2 2
1067#define PROCMON_FILESYSTEM_OPERATION_WRITE_FILE23 3
1068#define PROCMON_FILESYSTEM_OPERATION_FASTIO_MDL_READ_COMPLETE4 4
1069#define PROCMON_FILESYSTEM_OPERATION_READ_FILE25 5
1070#define PROCMON_FILESYSTEM_OPERATION_QUERY_OPEN6 6
1071#define PROCMON_FILESYSTEM_OPERATION_FASTIO_CHECK_IF_POSSIBLE7 7
1072#define PROCMON_FILESYSTEM_OPERATION_IRP_MJ_128 8
1073#define PROCMON_FILESYSTEM_OPERATION_IRP_MJ_119 9
1074#define PROCMON_FILESYSTEM_OPERATION_IRP_MJ_1010 10
1075#define PROCMON_FILESYSTEM_OPERATION_IRP_MJ_911 11
1076#define PROCMON_FILESYSTEM_OPERATION_IRP_MJ_812 12
1077#define PROCMON_FILESYSTEM_OPERATION_FASTIO_NOTIFY_STREAM_FO_CREATION13 13
1078#define PROCMON_FILESYSTEM_OPERATION_FASTIO_RELEASE_FOR_CC_FLUSH14 14
1079#define PROCMON_FILESYSTEM_OPERATION_FASTIO_ACQUIRE_FOR_CC_FLUSH15 15
1080#define PROCMON_FILESYSTEM_OPERATION_FASTIO_RELEASE_FOR_MOD_WRITE16 16
1081#define PROCMON_FILESYSTEM_OPERATION_FASTIO_ACQUIRE_FOR_MOD_WRITE17 17
1082#define PROCMON_FILESYSTEM_OPERATION_FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION18 18
1083#define PROCMON_FILESYSTEM_OPERATION_CREATE_FILE_MAPPING19 19
1084#define PROCMON_FILESYSTEM_OPERATION_CREATE_FILE20 20
1085#define PROCMON_FILESYSTEM_OPERATION_CREATE_PIPE21 21
1086#define PROCMON_FILESYSTEM_OPERATION_IRP_MJ_CLOSE22 22
1087#define PROCMON_FILESYSTEM_OPERATION_READ_FILE23 23
1088#define PROCMON_FILESYSTEM_OPERATION_WRITE_FILE24 24
1089#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE25 25
1090#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE26 26
1091#define PROCMON_FILESYSTEM_OPERATION_QUERY_EA_FILE27 27
1092#define PROCMON_FILESYSTEM_OPERATION_SET_EA_FILE28 28
1093#define PROCMON_FILESYSTEM_OPERATION_FLUSH_BUFFERS_FILE29 29
1094#define PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION30 30
1095#define PROCMON_FILESYSTEM_OPERATION_SET_VOLUME_INFORMATION31 31
1096#define PROCMON_FILESYSTEM_OPERATION_DIRECTORY_CONTROL32 32
1097#define PROCMON_FILESYSTEM_OPERATION_FILE_SYSTEM_CONTROL33 33
1098#define PROCMON_FILESYSTEM_OPERATION_DEVICE_IO_CONTROL34 34
1099#define PROCMON_FILESYSTEM_OPERATION_INTERNAL_DEVICE_IO_CONTROL35 35
1100#define PROCMON_FILESYSTEM_OPERATION_SHUTDOWN36 36
1101#define PROCMON_FILESYSTEM_OPERATION_LOCK_UNLOCK_FILE37 37
1102#define PROCMON_FILESYSTEM_OPERATION_CLOSE_FILE38 38
1103#define PROCMON_FILESYSTEM_OPERATION_CREATE_MAIL_SLOT39 39
1104#define PROCMON_FILESYSTEM_OPERATION_QUERY_SECURITY_FILE40 40
1105#define PROCMON_FILESYSTEM_OPERATION_SET_SECURITY_FILE41 41
1106#define PROCMON_FILESYSTEM_OPERATION_POWER42 42
1107#define PROCMON_FILESYSTEM_OPERATION_SYSTEM_CONTROL43 43
1108#define PROCMON_FILESYSTEM_OPERATION_DEVICE_CHANGE44 44
1109#define PROCMON_FILESYSTEM_OPERATION_QUERY_FILE_QUOTA45 45
1110#define PROCMON_FILESYSTEM_OPERATION_SET_FILE_QUOTA46 46
1111#define PROCMON_FILESYSTEM_OPERATION_PLUG_AND_PLAY47 47
1112
1113static const value_string filesystem_operation_vals[] = {
1114 { PROCMON_FILESYSTEM_OPERATION_VOLUME_DISMOUNT0, "Volume Dismount" },
1115 { PROCMON_FILESYSTEM_OPERATION_VOLUME_MOUNT1, "Volume Mount" },
1116 { PROCMON_FILESYSTEM_OPERATION_FASTIO_MDL_WRITE_COMPLETE2, "Fast I/O MDL Write Complete" },
1117 { PROCMON_FILESYSTEM_OPERATION_WRITE_FILE23, "Write File 2" },
1118 { PROCMON_FILESYSTEM_OPERATION_FASTIO_MDL_READ_COMPLETE4, "Fast I/O MDL Read Complete" },
1119 { PROCMON_FILESYSTEM_OPERATION_READ_FILE25, "Read File 2" },
1120 { PROCMON_FILESYSTEM_OPERATION_QUERY_OPEN6, "Query Open" },
1121 { PROCMON_FILESYSTEM_OPERATION_FASTIO_CHECK_IF_POSSIBLE7, "Fast I/O Check If Possible" },
1122 { PROCMON_FILESYSTEM_OPERATION_IRP_MJ_128, "IRP_MJ_CLEANUP" },
1123 { PROCMON_FILESYSTEM_OPERATION_IRP_MJ_119, "IRP_MJ_SET_INFORMATION" },
1124 { PROCMON_FILESYSTEM_OPERATION_IRP_MJ_1010, "IRP_MJ_QUERY_INFORMATION" },
1125 { PROCMON_FILESYSTEM_OPERATION_IRP_MJ_911, "IRP_MJ_FLUSH_BUFFERS" },
1126 { PROCMON_FILESYSTEM_OPERATION_IRP_MJ_812, "IRP_MJ_DIRECTORY_CONTROL" },
1127 { PROCMON_FILESYSTEM_OPERATION_FASTIO_NOTIFY_STREAM_FO_CREATION13, "Fast I/O Notify Stream File Object Creation" },
1128 { PROCMON_FILESYSTEM_OPERATION_FASTIO_RELEASE_FOR_CC_FLUSH14, "Fast I/O Release For Cache Manager Flush" },
1129 { PROCMON_FILESYSTEM_OPERATION_FASTIO_ACQUIRE_FOR_CC_FLUSH15, "Fast I/O Acquire For Cache Manager Flush" },
1130 { PROCMON_FILESYSTEM_OPERATION_FASTIO_RELEASE_FOR_MOD_WRITE16, "Fast I/O Release For Modified Write" },
1131 { PROCMON_FILESYSTEM_OPERATION_FASTIO_ACQUIRE_FOR_MOD_WRITE17, "Fast I/O Acquire For Modified Write" },
1132 { PROCMON_FILESYSTEM_OPERATION_FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION18, "Fast I/O Release For Section Synchronization" },
1133 { PROCMON_FILESYSTEM_OPERATION_CREATE_FILE_MAPPING19, "Create File Mapping" },
1134 { PROCMON_FILESYSTEM_OPERATION_CREATE_FILE20, "Create File" },
1135 { PROCMON_FILESYSTEM_OPERATION_CREATE_PIPE21, "Create Pipe" },
1136 { PROCMON_FILESYSTEM_OPERATION_IRP_MJ_CLOSE22, "IRP_MJ_CLOSE" },
1137 { PROCMON_FILESYSTEM_OPERATION_READ_FILE23, "Read File" },
1138 { PROCMON_FILESYSTEM_OPERATION_WRITE_FILE24, "Write File" },
1139 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE25, "Query Information File" },
1140 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE26, "Set Information File" },
1141 { PROCMON_FILESYSTEM_OPERATION_QUERY_EA_FILE27, "Query EA File" },
1142 { PROCMON_FILESYSTEM_OPERATION_SET_EA_FILE28, "Set EA File" },
1143 { PROCMON_FILESYSTEM_OPERATION_FLUSH_BUFFERS_FILE29, "Flush Buffers File" },
1144 { PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION30, "Query Volume Information" },
1145 { PROCMON_FILESYSTEM_OPERATION_SET_VOLUME_INFORMATION31, "Set Volume Information" },
1146 { PROCMON_FILESYSTEM_OPERATION_DIRECTORY_CONTROL32, "Directory Control" },
1147 { PROCMON_FILESYSTEM_OPERATION_FILE_SYSTEM_CONTROL33, "File System Control" },
1148 { PROCMON_FILESYSTEM_OPERATION_DEVICE_IO_CONTROL34, "Device I/O Control" },
1149 { PROCMON_FILESYSTEM_OPERATION_INTERNAL_DEVICE_IO_CONTROL35, "Internal Device I/O Control" },
1150 { PROCMON_FILESYSTEM_OPERATION_SHUTDOWN36, "Shutdown" },
1151 { PROCMON_FILESYSTEM_OPERATION_LOCK_UNLOCK_FILE37, "Lock/Unlock File" },
1152 { PROCMON_FILESYSTEM_OPERATION_CLOSE_FILE38, "Close File" },
1153 { PROCMON_FILESYSTEM_OPERATION_CREATE_MAIL_SLOT39, "Create Mail Slot" },
1154 { PROCMON_FILESYSTEM_OPERATION_QUERY_SECURITY_FILE40, "Query Security File" },
1155 { PROCMON_FILESYSTEM_OPERATION_SET_SECURITY_FILE41, "Set Security File" },
1156 { PROCMON_FILESYSTEM_OPERATION_POWER42, "Power" },
1157 { PROCMON_FILESYSTEM_OPERATION_SYSTEM_CONTROL43, "System Control" },
1158 { PROCMON_FILESYSTEM_OPERATION_DEVICE_CHANGE44, "Device Change" },
1159 { PROCMON_FILESYSTEM_OPERATION_QUERY_FILE_QUOTA45, "Query File Quota" },
1160 { PROCMON_FILESYSTEM_OPERATION_SET_FILE_QUOTA46, "Set File Quota" },
1161 { PROCMON_FILESYSTEM_OPERATION_PLUG_AND_PLAY47, "Plug and Play" },
1162 { 0, NULL((void*)0) }
1163};
1164
1165#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_BASIC0x04 0x04
1166#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_STANDARD0x05 0x05
1167#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_INTERNAL0x06 0x06
1168#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_EA0x07 0x07
1169#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_NAME0x09 0x09
1170#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_POSITION0x0E 0x0E
1171#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ALL0x12 0x12
1172#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_END_OF_FILE0x14 0x14
1173#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_STREAM0x16 0x16
1174#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_COMPRESSION0x1C 0x1C
1175#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ID0x1D 0x1D
1176#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_MOVE_CLUSTER0x1F 0x1F
1177#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_NETWORK_OPEN0x22 0x22
1178#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ATTRIBUTE_TAG0x23 0x23
1179#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ID_BOTH_DIRECTORY0x25 0x25
1180#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_VALID_DATA_LENGTH0x27 0x27
1181#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_SHORT_NAME0x28 0x28
1182#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_IO_PRIORITY_HINT0x2B 0x2B
1183#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_LINKS0x2E 0x2E
1184#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_NAMES0x2F 0x2F
1185#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_NORMALIZED_NAME0x30 0x30
1186#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_NETWORK_PHYSICAL_NAME0x31 0x31
1187#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ID_GLOBAL_TX_DIRECTORY0x32 0x32
1188#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_IS_REMOTE_DEVICE0x33 0x33
1189#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ATTRIBUTE_CACHE0x34 0x34
1190#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_NUMA_NODE0x35 0x35
1191#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_STANDARD_LINK0x36 0x36
1192#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_REMOTE_PROTOCOL0x37 0x37
1193#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_RENAME_BYPASS_ACCESS0x38 0x38
1194#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_LINK_BYPASS_ACCESS0x39 0x39
1195#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_VOLUME_NAME0x3A 0x3A
1196#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ID_INFO0x3B 0x3B
1197#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ID_EXTD_DIRECTORY0x3C 0x3C
1198#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_HARD_LINK_FULL_ID0x3E 0x3E
1199#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ID_EXTD_BOTH_DIRECTORY0x3F 0x3F
1200#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_DESIRED_STORAGE_CLASS0x43 0x43
1201#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_STAT0x44 0x44
1202#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_MEMORY_PARTITION0x45 0x45
1203#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_SAT_LX0x46 0x46
1204#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_CASE_SENSITIVE0x47 0x47
1205#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_LINK_EX0x48 0x48
1206#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_STORAGE_RESERVED_ID0x4A 0x4A
1207#define PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_CASE_SENSITIVE_FORCE_ACCESS0x4B 0x4B
1208
1209static const value_string filesystem_operation_query_info_vals[] = {
1210 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_BASIC0x04, "Basic"},
1211 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_STANDARD0x05, "Standard"},
1212 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_INTERNAL0x06, "Internal"},
1213 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_EA0x07, "EA"},
1214 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_NAME0x09, "Name"},
1215 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_POSITION0x0E, "Position"},
1216 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ALL0x12, "All"},
1217 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_END_OF_FILE0x14, "End of File"},
1218 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_STREAM0x16, "Stream"},
1219 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_COMPRESSION0x1C, "Compression"},
1220 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ID0x1D, "ID"},
1221 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_MOVE_CLUSTER0x1F, "Move Cluster"},
1222 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_NETWORK_OPEN0x22, "Network Open"},
1223 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ATTRIBUTE_TAG0x23, "Attribute Tag"},
1224 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ID_BOTH_DIRECTORY0x25,"ID Both Directory"},
1225 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_VALID_DATA_LENGTH0x27,"Valid Data Length"},
1226 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_SHORT_NAME0x28, "Short Name"},
1227 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_IO_PRIORITY_HINT0x2B, "I/O Priority Hint"},
1228 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_LINKS0x2E, "Links"},
1229 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_NAMES0x2F, "Names"},
1230 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_NORMALIZED_NAME0x30, "Normalized Name"},
1231 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_NETWORK_PHYSICAL_NAME0x31,"Network Physical Name"},
1232 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ID_GLOBAL_TX_DIRECTORY0x32,"ID Global TX Directory"},
1233 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_IS_REMOTE_DEVICE0x33, "Is Remote Device"},
1234 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ATTRIBUTE_CACHE0x34, "Attribute Cache"},
1235 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_NUMA_NODE0x35, "NUMA Node"},
1236 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_STANDARD_LINK0x36, "Standard Link"},
1237 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_REMOTE_PROTOCOL0x37, "Remote Protocol"},
1238 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_RENAME_BYPASS_ACCESS0x38, "Rename Bypass Access"},
1239 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_LINK_BYPASS_ACCESS0x39, "Link Bypass Access"},
1240 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_VOLUME_NAME0x3A, "Volume Name"},
1241 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ID_INFO0x3B, "ID Info"},
1242 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ID_EXTD_DIRECTORY0x3C, "ID Extended Directory"},
1243 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_HARD_LINK_FULL_ID0x3E, "Hard Link Full ID"},
1244 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_ID_EXTD_BOTH_DIRECTORY0x3F, "ID Extended Both Directory"},
1245 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_DESIRED_STORAGE_CLASS0x43, "Desired Storage Class"},
1246 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_STAT0x44, "Stat"},
1247 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_MEMORY_PARTITION0x45, "Memory Partition"},
1248 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_SAT_LX0x46, "SAT LX"},
1249 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_CASE_SENSITIVE0x47, "Case Sensitive"},
1250 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_LINK_EX0x48, "Link Ex"},
1251 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_STORAGE_RESERVED_ID0x4A,"Storage Reserved ID"},
1252 { PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE_CASE_SENSITIVE_FORCE_ACCESS0x4B,"Case Sensitive Force Access"},
1253 { 0, NULL((void*)0) }
1254};
1255
1256
1257#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_BASIC0x04 0x04
1258#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_RENAME0x0A 0x0A
1259#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_LINK0x0B 0x0B
1260#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_DISPOSITION0x0D 0x0D
1261#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_POSITION0x0E 0x0E
1262#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_ALLOCATION0x13 0x13
1263#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_END_OF_FILE0x14 0x14
1264#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_STREAM0x16 0x16
1265#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_PIPE0x17 0x17
1266#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_VALID_DATA_LENGTH0x27 0x27
1267#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_SHORT_NAME0x28 0x28
1268#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_REPLACE_COMPLETION0x3D 0x3D
1269#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_DISPOSITION_EX0x40 0x40
1270#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_RENAME_EX0x41 0x41
1271#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_RENAME_EX_BYPASS_ACCESS0x42 0x42
1272#define PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_STORAGE_RESERVE_ID0x4A 0x4A
1273
1274static const value_string filesystem_operation_set_info_vals[] = {
1275 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_BASIC0x04, "Basic" },
1276 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_RENAME0x0A, "Rename" },
1277 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_LINK0x0B, "Link" },
1278 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_DISPOSITION0x0D, "Disposition" },
1279 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_POSITION0x0E, "Position" },
1280 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_ALLOCATION0x13, "Allocation" },
1281 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_END_OF_FILE0x14, "End of File" },
1282 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_STREAM0x16, "Stream" },
1283 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_PIPE0x17, "Pipe" },
1284 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_VALID_DATA_LENGTH0x27, "Valid Data Length" },
1285 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_SHORT_NAME0x28, "Short name" },
1286 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_REPLACE_COMPLETION0x3D,"Replace Completion" },
1287 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_DISPOSITION_EX0x40, "DispositionEx" },
1288 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_RENAME_EX0x41, "RenameEx" },
1289 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_RENAME_EX_BYPASS_ACCESS0x42, "RenameEx Bypass Access" },
1290 { PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_STORAGE_RESERVE_ID0x4A,"Storage Reserve ID" },
1291 { 0, NULL((void*)0) }
1292};
1293
1294#define PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_INFORMATION0x1 0x1
1295#define PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_LABEL0x2 0x2
1296#define PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_SIZE0x3 0x3
1297#define PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_DEVICE0x4 0x4
1298#define PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_ATTRIBUTE0x5 0x5
1299#define PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_CONTROL0x6 0x6
1300#define PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_FULL_SIZE0x7 0x7
1301#define PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_OBJECT_ID0x8 0x8
1302
1303static const value_string filesystem_operation_query_volume_info_vals[] = {
1304 { PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_INFORMATION0x1, "Query Information" },
1305 { PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_LABEL0x2, "Query Label" },
1306 { PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_SIZE0x3, "Query Size" },
1307 { PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_DEVICE0x4, "Query Device" },
1308 { PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_ATTRIBUTE0x5, "Query Attribute" },
1309 { PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_CONTROL0x6, "Query Control" },
1310 { PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_FULL_SIZE0x7, "Query Full Size" },
1311 { PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION_QUERY_OBJECT_ID0x8, "Query Object ID" },
1312 { 0, NULL((void*)0) }
1313};
1314
1315#define PROCMON_FILESYSTEM_OPERATION_SET_VOLUME_INFORMATION_CONTROL0x01 0x01
1316#define PROCMON_FILESYSTEM_OPERATION_SET_VOLUME_INFORMATION_LABEL0x02 0x02
1317#define PROCMON_FILESYSTEM_OPERATION_SET_VOLUME_INFORMATION_OBJECT_ID0x08 0x08
1318
1319static const value_string filesystem_operation_set_volume_info_vals[] = {
1320 { PROCMON_FILESYSTEM_OPERATION_SET_VOLUME_INFORMATION_CONTROL0x01, "Control" },
1321 { PROCMON_FILESYSTEM_OPERATION_SET_VOLUME_INFORMATION_LABEL0x02, "Label" },
1322 { PROCMON_FILESYSTEM_OPERATION_SET_VOLUME_INFORMATION_OBJECT_ID0x08, "Object ID" },
1323 { 0, NULL((void*)0) }
1324};
1325
1326#define PROCMON_FILESYSTEM_OPERATION_DIRECTORY_CONTROL_QUERY0x01 0x01
1327#define PROCMON_FILESYSTEM_OPERATION_DIRECTORY_CONTROL_NOTIFY_CHANGE0x02 0x02
1328
1329static const value_string filesystem_operation_directory_control_vals[] = {
1330 { PROCMON_FILESYSTEM_OPERATION_DIRECTORY_CONTROL_QUERY0x01, "Query" },
1331 { PROCMON_FILESYSTEM_OPERATION_DIRECTORY_CONTROL_NOTIFY_CHANGE0x02, "Notify Change" },
1332 { 0, NULL((void*)0) }
1333};
1334
1335#define PROCMON_FILESYSTEM_OPERATION_PNP_START_DEVICE0x00 0x00
1336#define PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_REMOVE_DEVICE0x01 0x01
1337#define PROCMON_FILESYSTEM_OPERATION_PNP_REMOVE_DEVICE0x02 0x02
1338#define PROCMON_FILESYSTEM_OPERATION_PNP_CANCEL_REMOVE_DEVICE0x03 0x03
1339#define PROCMON_FILESYSTEM_OPERATION_PNP_STOP_DEVICE0x04 0x04
1340#define PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_STOP_DEVICE0x05 0x05
1341#define PROCMON_FILESYSTEM_OPERATION_PNP_CANCEL_STOP_DEVICE0x06 0x06
1342#define PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_DEVICE_RELATIONS0x07 0x07
1343#define PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_INTERFACE0x08 0x08
1344#define PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_CAPABILITIES0x09 0x09
1345#define PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_RESOURCES0x0A 0x0A
1346#define PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_RESOURCE_REQUIREMENTS0x0B 0x0B
1347#define PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_DEVICE_TEXT0x0C 0x0C
1348#define PROCMON_FILESYSTEM_OPERATION_PNP_FILTER_RESOURCE_REQUIREMENTS0x0D 0x0D
1349#define PROCMON_FILESYSTEM_OPERATION_PNP_READ_CONFIG0x0F 0x0F
1350#define PROCMON_FILESYSTEM_OPERATION_PNP_WRITE_CONFIG0x10 0x10
1351#define PROCMON_FILESYSTEM_OPERATION_PNP_EJECT0x11 0x11
1352#define PROCMON_FILESYSTEM_OPERATION_PNP_SET_LOCK0x12 0x12
1353#define PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_ID20x13 0x13
1354#define PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_PNP_DEVICE_STATE0x14 0x14
1355#define PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_BUS_INFORMATION0x15 0x15
1356#define PROCMON_FILESYSTEM_OPERATION_PNP_DEVICE_USAGE_NOTIFICATION0x16 0x16
1357#define PROCMON_FILESYSTEM_OPERATION_PNP_SURPRISE_REMOVAL0x17 0x17
1358#define PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_LEGACY_BUS_INFORMATION0x18 0x18
1359
1360static const value_string filesystem_operation_pnp_vals[] = {
1361 { PROCMON_FILESYSTEM_OPERATION_PNP_START_DEVICE0x00, "Start Device" },
1362 { PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_REMOVE_DEVICE0x01, "Query Remove Device" },
1363 { PROCMON_FILESYSTEM_OPERATION_PNP_REMOVE_DEVICE0x02, "Remove Device" },
1364 { PROCMON_FILESYSTEM_OPERATION_PNP_CANCEL_REMOVE_DEVICE0x03, "Cancel Remove Device" },
1365 { PROCMON_FILESYSTEM_OPERATION_PNP_STOP_DEVICE0x04, "Stop Device" },
1366 { PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_STOP_DEVICE0x05, "Query Stop Device" },
1367 { PROCMON_FILESYSTEM_OPERATION_PNP_CANCEL_STOP_DEVICE0x06, "Cancel Stop Device" },
1368 { PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_DEVICE_RELATIONS0x07, "Query Device Relations" },
1369 { PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_INTERFACE0x08, "Query Interface" },
1370 { PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_CAPABILITIES0x09, "Query Capabilities" },
1371 { PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_RESOURCES0x0A, "Query Resources" },
1372 { PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_RESOURCE_REQUIREMENTS0x0B, "Query Resource Requirements" },
1373 { PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_DEVICE_TEXT0x0C, "Query Device Text" },
1374 { PROCMON_FILESYSTEM_OPERATION_PNP_FILTER_RESOURCE_REQUIREMENTS0x0D,"Filter Resource Requirements" },
1375 { PROCMON_FILESYSTEM_OPERATION_PNP_READ_CONFIG0x0F, "Read Config" },
1376 { PROCMON_FILESYSTEM_OPERATION_PNP_WRITE_CONFIG0x10, "Write Config" },
1377 { PROCMON_FILESYSTEM_OPERATION_PNP_EJECT0x11, "Eject" },
1378 { PROCMON_FILESYSTEM_OPERATION_PNP_SET_LOCK0x12, "Set Lock" },
1379 { PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_ID20x13, "Query ID2" },
1380 { PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_PNP_DEVICE_STATE0x14, "Query PnP Device State" },
1381 { PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_BUS_INFORMATION0x15, "Query Bus Information" },
1382 { PROCMON_FILESYSTEM_OPERATION_PNP_DEVICE_USAGE_NOTIFICATION0x16, "Device Usage Notification" },
1383 { PROCMON_FILESYSTEM_OPERATION_PNP_SURPRISE_REMOVAL0x17, "Surprise Removal" },
1384 { PROCMON_FILESYSTEM_OPERATION_PNP_QUERY_LEGACY_BUS_INFORMATION0x18, "Query Legacy Bus Information" },
1385 { 0, NULL((void*)0) }
1386};
1387
1388#define PROCMON_FILESYSTEM_OPERATION_LOCK_UNLOCK_FILE_LOCK0x01 0x01
1389#define PROCMON_FILESYSTEM_OPERATION_LOCK_UNLOCK_FILE_UNLOCK_SINGLE0x02 0x02
1390#define PROCMON_FILESYSTEM_OPERATION_LOCK_UNLOCK_FILE_UNLOCK_ALL0x03 0x03
1391#define PROCMON_FILESYSTEM_OPERATION_LOCK_UNLOCK_FILE_UNLOCK_BY_KEY0x04 0x04
1392
1393static const value_string filesystem_operation_lock_unlock_file_vals[] = {
1394 { PROCMON_FILESYSTEM_OPERATION_LOCK_UNLOCK_FILE_LOCK0x01, "Lock" },
1395 { PROCMON_FILESYSTEM_OPERATION_LOCK_UNLOCK_FILE_UNLOCK_SINGLE0x02, "Unlock Single" },
1396 { PROCMON_FILESYSTEM_OPERATION_LOCK_UNLOCK_FILE_UNLOCK_ALL0x03, "Unlock All" },
1397 { PROCMON_FILESYSTEM_OPERATION_LOCK_UNLOCK_FILE_UNLOCK_BY_KEY0x04, "Unlock By Key" },
1398 { 0, NULL((void*)0) }
1399};
1400
1401#define PROCMON_FILESYSTEM_DISPOSITION_SUPERSEDE0x00 0x00
1402#define PROCMON_FILESYSTEM_DISPOSITION_OPEN0x01 0x01
1403#define PROCMON_FILESYSTEM_DISPOSITION_CREATE0x02 0x02
1404#define PROCMON_FILESYSTEM_DISPOSITION_OPEN_IF0x03 0x03
1405#define PROCMON_FILESYSTEM_DISPOSITION_OVERWRITE0x04 0x04
1406#define PROCMON_FILESYSTEM_DISPOSITION_OVERWRITE_IF0x05 0x05
1407
1408static const value_string filesystem_disposition_vals[] = {
1409 { PROCMON_FILESYSTEM_DISPOSITION_SUPERSEDE0x00, "Supersede" },
1410 { PROCMON_FILESYSTEM_DISPOSITION_OPEN0x01, "Open" },
1411 { PROCMON_FILESYSTEM_DISPOSITION_CREATE0x02, "Create" },
1412 { PROCMON_FILESYSTEM_DISPOSITION_OPEN_IF0x03, "Open If" },
1413 { PROCMON_FILESYSTEM_DISPOSITION_OVERWRITE0x04, "Overwrite" },
1414 { PROCMON_FILESYSTEM_DISPOSITION_OVERWRITE_IF0x05, "Overwrite If" },
1415 { 0, NULL((void*)0) }
1416};
1417
1418static const value_string filesystem_open_result_vals[] = {
1419 { 0, "Superseded" },
1420 { 1, "Opened" },
1421 { 2, "Created" },
1422 { 3, "Overwritten" },
1423 { 4, "Exists" },
1424 { 5, "Does Not Exists" },
1425 { 0, NULL((void*)0) }
1426};
1427
1428static const value_string filesystem_readwrite_priority_vals[] = {
1429 { 0, "" },
1430 { 1, "Very Low" },
1431 { 2, "Low" },
1432 { 3, "Normal" },
1433 { 4, "High" },
1434 { 5, "Critical" },
1435 { 0, NULL((void*)0) }
1436};
1437
1438static const value_string ioctl_code_vals[] = {
1439 {0x24058, "IOCTL_CDROM_GET_CONFIGURATION"},
1440 {0x24800, "IOCTL_CDROM_CHECK_VERIFY"},
1441 {0x24804, "IOCTL_CDROM_MEDIA_REMOVAL"},
1442 {0x24808, "IOCTL_CDROM_EJECT_MEDIA"},
1443 {0x2480c, "IOCTL_CDROM_LOAD_MEDIA"},
1444 {0x41018, "IOCTL_SCSI_GET_ADDRESS"},
1445 {0x41020, "IOCTL_SCSI_GET_DUMP_POINTERS"},
1446 {0x41024, "IOCTL_SCSI_FREE_DUMP_POINTERS"},
1447 {0x4d004, "IOCTL_SCSI_PASS_THROUGH"},
1448 {0x4d014, "IOCTL_SCSI_PASS_THROUGH_DIRECT"},
1449 {0x60190, "FSCTL_DFS_TRANSLATE_PATH"},
1450 {0x60194, "FSCTL_DFS_GET_REFERRALS"},
1451 {0x60198, "FSCTL_DFS_REPORT_INCONSISTENCY"},
1452 {0x6019c, "FSCTL_DFS_IS_SHARE_IN_DFS"},
1453 {0x601a0, "FSCTL_DFS_IS_ROOT"},
1454 {0x601a4, "FSCTL_DFS_GET_VERSION"},
1455 {0x70000, "IOCTL_DISK_GET_DRIVE_GEOMETRY"},
1456 {0x70014, "IOCTL_DISK_VERIFY"},
1457 {0x70020, "IOCTL_DISK_PERFORMANCE"},
1458 {0x70024, "IOCTL_DISK_IS_WRITABLE"},
1459 {0x70028, "IOCTL_DISK_LOGGING"},
1460 {0x70030, "IOCTL_DISK_HISTOGRAM_STRUCTURE"},
1461 {0x70034, "IOCTL_DISK_HISTOGRAM_DATA"},
1462 {0x70038, "IOCTL_DISK_HISTOGRAM_RESET"},
1463 {0x7003c, "IOCTL_DISK_REQUEST_STRUCTURE"},
1464 {0x70040, "IOCTL_DISK_REQUEST_DATA"},
1465 {0x70048, "IOCTL_DISK_GET_PARTITION_INFO_EX"},
1466 {0x70050, "IOCTL_DISK_GET_DRIVE_LAYOUT_EX"},
1467 {0x70060, "IOCTL_DISK_PERFORMANCE_OFF"},
1468 {0x700a0, "IOCTL_DISK_GET_DRIVE_GEOMETRY_EX"},
1469 {0x700f0, "IOCTL_DISK_GET_DISK_ATTRIBUTES"},
1470 {0x70140, "IOCTL_DISK_UPDATE_PROPERTIES"},
1471 {0x70214, "IOCTL_DISK_GET_CLUSTER_INFO"},
1472 {0x70c00, "IOCTL_DISK_GET_MEDIA_TYPES"},
1473 {0x74004, "IOCTL_DISK_GET_PARTITION_INFO"},
1474 {0x7400c, "IOCTL_DISK_GET_DRIVE_LAYOUT"},
1475 {0x7405c, "IOCTL_DISK_GET_LENGTH_INFO"},
1476 {0x74080, "SMART_GET_VERSION"},
1477 {0x740d4, "IOCTL_DISK_GET_CACHE_INFORMATION"},
1478 {0x74800, "IOCTL_DISK_CHECK_VERIFY"},
1479 {0x74804, "IOCTL_DISK_MEDIA_REMOVAL"},
1480 {0x74808, "IOCTL_DISK_EJECT_MEDIA"},
1481 {0x7480c, "IOCTL_DISK_LOAD_MEDIA"},
1482 {0x74810, "IOCTL_DISK_RESERVE"},
1483 {0x74814, "IOCTL_DISK_RELEASE"},
1484 {0x74818, "IOCTL_DISK_FIND_NEW_DEVICES"},
1485 {0x7c008, "IOCTL_DISK_SET_PARTITION_INFO"},
1486 {0x7c010, "IOCTL_DISK_SET_DRIVE_LAYOUT"},
1487 {0x7c018, "IOCTL_DISK_FORMAT_TRACKS"},
1488 {0x7c01c, "IOCTL_DISK_REASSIGN_BLOCKS"},
1489 {0x7c02c, "IOCTL_DISK_FORMAT_TRACKS_EX"},
1490 {0x7c04c, "IOCTL_DISK_SET_PARTITION_INFO_EX"},
1491 {0x7c054, "IOCTL_DISK_SET_DRIVE_LAYOUT_EX"},
1492 {0x7c058, "IOCTL_DISK_CREATE_DISK"},
1493 {0x7c084, "SMART_SEND_DRIVE_COMMAND"},
1494 {0x7c088, "SMART_RCV_DRIVE_DATA"},
1495 {0x7c0a4, "IOCTL_DISK_REASSIGN_BLOCKS_EX"},
1496 {0x7c0c8, "IOCTL_DISK_UPDATE_DRIVE_SIZE"},
1497 {0x7c0d0, "IOCTL_DISK_GROW_PARTITION"},
1498 {0x7c0d8, "IOCTL_DISK_SET_CACHE_INFORMATION"},
1499 {0x7c0f4, "IOCTL_DISK_SET_DISK_ATTRIBUTES"},
1500 {0x7c218, "IOCTL_DISK_SET_CLUSTER_INFO"},
1501 {0x90000, "FSCTL_REQUEST_OPLOCK_LEVEL_1"},
1502 {0x90004, "FSCTL_REQUEST_OPLOCK_LEVEL_2"},
1503 {0x90008, "FSCTL_REQUEST_BATCH_OPLOCK"},
1504 {0x9000c, "FSCTL_OPLOCK_BREAK_ACKNOWLEDGE"},
1505 {0x90010, "FSCTL_OPBATCH_ACK_CLOSE_PENDING"},
1506 {0x90014, "FSCTL_OPLOCK_BREAK_NOTIFY"},
1507 {0x90018, "FSCTL_LOCK_VOLUME"},
1508 {0x9001c, "FSCTL_UNLOCK_VOLUME"},
1509 {0x90020, "FSCTL_DISMOUNT_VOLUME"},
1510 {0x90028, "FSCTL_IS_VOLUME_MOUNTED"},
1511 {0x9002c, "FSCTL_IS_PATHNAME_VALID"},
1512 {0x90030, "FSCTL_MARK_VOLUME_DIRTY"},
1513 {0x9003b, "FSCTL_QUERY_RETRIEVAL_POINTERS"},
1514 {0x9003c, "FSCTL_GET_COMPRESSION"},
1515 {0x90050, "FSCTL_OPLOCK_BREAK_ACK_NO_2"},
1516 {0x90058, "FSCTL_QUERY_FAT_BPB"},
1517 {0x9005c, "FSCTL_REQUEST_FILTER_OPLOCK"},
1518 {0x90060, "FSCTL_FILESYSTEM_GET_STATISTICS"},
1519 {0x90064, "FSCTL_GET_NTFS_VOLUME_DATA"},
1520 {0x90068, "FSCTL_GET_NTFS_FILE_RECORD"},
1521 {0x9006f, "FSCTL_GET_VOLUME_BITMAP"},
1522 {0x90073, "FSCTL_GET_RETRIEVAL_POINTERS"},
1523 {0x90074, "FSCTL_MOVE_FILE"},
1524 {0x90078, "FSCTL_IS_VOLUME_DIRTY"},
1525 {0x90083, "FSCTL_ALLOW_EXTENDED_DASD_IO"},
1526 {0x90087, "FSCTL_READ_PROPERTY_DATA"},
1527 {0x9008b, "FSCTL_WRITE_PROPERTY_DATA"},
1528 {0x9008f, "FSCTL_FIND_FILES_BY_SID"},
1529 {0x90097, "FSCTL_DUMP_PROPERTY_DATA"},
1530 {0x90098, "FSCTL_SET_OBJECT_ID"},
1531 {0x9009c, "FSCTL_GET_OBJECT_ID"},
1532 {0x900a0, "FSCTL_DELETE_OBJECT_ID"},
1533 {0x900a4, "FSCTL_SET_REPARSE_POINT"},
1534 {0x900a8, "FSCTL_GET_REPARSE_POINT"},
1535 {0x900ac, "FSCTL_DELETE_REPARSE_POINT"},
1536 {0x900b3, "FSCTL_ENUM_USN_DATA"},
1537 {0x900bb, "FSCTL_READ_USN_JOURNAL"},
1538 {0x900bc, "FSCTL_SET_OBJECT_ID_EXTENDED"},
1539 {0x900c0, "FSCTL_CREATE_OR_GET_OBJECT_ID"},
1540 {0x900c4, "FSCTL_SET_SPARSE"},
1541 {0x900d7, "FSCTL_SET_ENCRYPTION"},
1542 {0x900db, "FSCTL_ENCRYPTION_FSCTL_IO"},
1543 {0x900df, "FSCTL_WRITE_RAW_ENCRYPTED" },
1544 {0x900e3, "FSCTL_READ_RAW_ENCRYPTED" },
1545 {0x900e7, "FSCTL_CREATE_USN_JOURNAL" },
1546 {0x900eb, "FSCTL_READ_FILE_USN_DATA" },
1547 {0x900ef, "FSCTL_WRITE_USN_CLOSE_RECORD" },
1548 {0x900f0, "FSCTL_EXTEND_VOLUME" },
1549 {0x900f4, "FSCTL_QUERY_USN_JOURNAL" },
1550 {0x900f8, "FSCTL_DELETE_USN_JOURNAL" },
1551 {0x900fc, "FSCTL_MARK_HANDLE" },
1552 {0x90100, "FSCTL_SIS_COPYFILE" },
1553 {0x90120, "FSCTL_FILE_PREFETCH" },
1554 {0x901af, "CSC_FSCTL_OPERATION_QUERY_HANDLE" },
1555 {0x901f0, "FSCTL_QUERY_DEPENDENT_VOLUME" },
1556 {0x90230, "FSCTL_GET_BOOT_AREA_INFO" },
1557 {0x90240, "FSCTL_REQUEST_OPLOCK" },
1558 {0x90244, "FSCTL_CSV_TUNNEL_REQUEST" },
1559 {0x9024c, "FSCTL_QUERY_FILE_SYSTEM_RECOGNITION" },
1560 {0x90254, "FSCTL_CSV_GET_VOLUME_NAME_FOR_VOLUME_MOUNT_POINT" },
1561 {0x90258, "FSCTL_CSV_GET_VOLUME_PATH_NAMES_FOR_VOLUME_NAME" },
1562 {0x9025c, "FSCTL_IS_FILE_ON_CSV_VOLUME" },
1563 {0x90260, "FSCTL_CORRUPTION_HANDLING" },
1564 {0x90270, "FSCTL_SET_PURGE_FAILURE_MODE" },
1565 {0x90277, "FSCTL_QUERY_FILE_LAYOUT" },
1566 {0x90278, "FSCTL_IS_VOLUME_OWNED_BYCSVFS" },
1567 {0x9027c, "FSCTL_GET_INTEGRITY_INFORMATION" },
1568 {0x90284, "FSCTL_QUERY_FILE_REGIONS" },
1569 {0x902b0, "FSCTL_SCRUB_DATA" },
1570 {0x902b8, "FSCTL_DISABLE_LOCAL_BUFFERING" },
1571 {0x9030c, "FSCTL_SET_EXTERNAL_BACKING" },
1572 {0x90310, "FSCTL_GET_EXTERNAL_BACKING" },
1573 {0x940b7, "FSCTL_SECURITY_ID_CHECK" },
1574 {0x940cf, "FSCTL_QUERY_ALLOCATED_RANGES" },
1575 {0x941e4, "FSCTL_TXFS_LIST_TRANSACTIONS" },
1576 {0x94264, "FSCTL_OFFLOAD_READ" },
1577 {0x980c8, "FSCTL_SET_ZERO_DATA" },
1578 {0x980d0, "FSCTL_ENABLE_UPGRADE" },
1579 {0x98208, "FSCTL_FILE_LEVEL_TRIM" },
1580 {0x98268, "FSCTL_OFFLOAD_WRITE" },
1581 {0x9c040, "FSCTL_SET_COMPRESSION" },
1582 {0x9c104, "FSCTL_SIS_LINK_FILES" },
1583 {0x9c108, "FSCTL_HSM_MSG" },
1584 {0x9c2b4, "FSCTL_REPAIR_COPIES" },
1585 {0xc4003, "FSCTL_MAILSLOT_PEEK" },
1586 {0x110000, "FSCTL_PIPE_ASSIGN_EVENT" },
1587 {0x110004, "FSCTL_PIPE_DISCONNECT" },
1588 {0x110008, "FSCTL_PIPE_LISTEN" },
1589 {0x110010, "FSCTL_PIPE_QUERY_EVENT" },
1590 {0x110018, "FSCTL_PIPE_WAIT" },
1591 {0x11001c, "FSCTL_PIPE_IMPERSONATE" },
1592 {0x110020, "FSCTL_PIPE_SET_CLIENT_PROCESS" },
1593 {0x110024, "FSCTL_QUERY_CLIENT_PROCESS" },
1594 {0x11400c, "FSCTL_PIPE_PEEK" },
1595 {0x116000, "FSCTL_PIPE_INTERNAL_READ" },
1596 {0x119ff8, "FSCTL_PIPE_INTERNAL_WRITE" },
1597 {0x11c017, "FSCTL_PIPE_TRANSCEIVE" },
1598 {0x11dfff, "FSCTL_PIPE_INTERNAL_TRANSCEIVE" },
1599 {0x140191, "FSCTL_LMR_START" },
1600 {0x140193, "IOCTL_SMBMRX_START" },
1601 {0x140194, "FSCTL_LMR_STOP" },
1602 {0x140197, "IOCTL_SMBMRX_STOP" },
1603 {0x140198, "IOCTL_SMBMRX_GETSTATE" },
1604 {0x140199, "FSCTL_NETWORK_SET_CONFIGURATION_INFO" },
1605 {0x14019e, "FSCTL_NETWORK_GET_CONFIGURATION_INFO" },
1606 {0x1401a3, "FSCTL_NETWORK_GET_CONNECTION_INFO" },
1607 {0x1401a7, "FSCTL_NETWORK_ENUMERATE_CONNECTIONS" },
1608 {0x1401ab, "FSCTL_LMR_FORCE_DISCONNECT" },
1609 {0x1401ac, "FSCTL_NETWORK_DELETE_CONNECTION" },
1610 {0x1401b0, "FSCTL_LMR_BIND_TO_TRANSPORT" },
1611 {0x1401b4, "FSCTL_LMR_UNBIND_FROM_TRANSPORT" },
1612 {0x1401bb, "FSCTL_LMR_ENUMERATE_TRANSPORTS" },
1613 {0x1401c4, "FSCTL_LMR_GET_HINT_SIZE" },
1614 {0x1401c8, "FSCTL_LMR_TRANSACT" },
1615 {0x1401cc, "FSCTL_LMR_ENUMERATE_PRINT_INFO" },
1616 {0x1401d0, "FSCTL_NETWORK_GET_STATISTICS" },
1617 {0x1401d4, "FSCTL_LMR_START_SMBTRACE" },
1618 {0x1401d8, "FSCTL_LMR_END_SMBTRACE" },
1619 {0x1401dc, "FSCTL_LMR_START_RBR" },
1620 {0x1401e0, "FSCTL_NETWORK_SET_DOMAIN_NAME" },
1621 {0x1401e4, "FSCTL_LMR_SET_SERVER_GUID" },
1622 {0x1401e8, "FSCTL_LMR_QUERY_TARGET_INFO" },
1623 {0x1401ec, "FSCTL_LMR_QUERY_DEBUG_INFO" },
1624 {0x1401f4, "IOCTL_SMBMRX_ADDCONN" },
1625 {0x1401f8, "IOCTL_SMBMRX_DELCONN" },
1626 {0x140378, "IOCTL_UMRX_RELEASE_THREADS" },
1627 {0x14037e, "IOCTL_UMRX_GET_REQUEST" },
1628 {0x140382, "IOCTL_UMRX_RESPONSE_AND_REQUEST" },
1629 {0x140386, "IOCTL_UMRX_RESPONSE" },
1630 {0x140388, "IOCTL_UMRX_GET_LOCK_OWNER" },
1631 {0x14038c, "IOCTL_LMR_QUERY_REMOTE_SERVER_NAME" },
1632 {0x140390, "IOCTL_LMR_DISABLE_LOCAL_BUFFERING" },
1633 {0x140394, "IOCTL_UMRX_PREPARE_QUEUE" },
1634 {0x140397, "IOCTL_LMR_LWIO_POSTIO" },
1635 {0x14039b, "IOCTL_LMR_LWIO_PREIO" },
1636 {0x1403e8, "FSCTL_NETWORK_REMOTE_BOOT_INIT_SCRT" },
1637 {0x140fdb, "IOCTL_SHADOW_END_REINT" },
1638 {0x140fff, "IOCTL_GETSHADOW" },
1639 {0x2d0800, "IOCTL_STORAGE_CHECK_VERIFY2" },
1640 {0x2d080c, "IOCTL_STORAGE_LOAD_MEDIA2" },
1641 {0x2d0940, "IOCTL_STORAGE_EJECTION_CONTROL" },
1642 {0x2d0944, "IOCTL_STORAGE_MCN_CONTROL" },
1643 {0x2d0c00, "IOCTL_STORAGE_GET_MEDIA_TYPES" },
1644 {0x2d0c04, "IOCTL_STORAGE_GET_MEDIA_TYPES_EX" },
1645 {0x2d0c10, "IOCTL_STORAGE_GET_MEDIA_SERIAL_NUMBER" },
1646 {0x2d0c14, "IOCTL_STORAGE_GET_HOTPLUG_INFO" },
1647 {0x2d1080, "IOCTL_STORAGE_GET_DEVICE_NUMBER" },
1648 {0x2d1100, "IOCTL_STORAGE_PREDICT_FAILURE" },
1649 {0x2d1400, "IOCTL_STORAGE_QUERY_PROPERTY" },
1650 {0x2d4800, "IOCTL_STORAGE_CHECK_VERIFY" },
1651 {0x2d4804, "IOCTL_STORAGE_MEDIA_REMOVAL" },
1652 {0x2d4808, "IOCTL_STORAGE_EJECT_MEDIA" },
1653 {0x2d480c, "IOCTL_STORAGE_LOAD_MEDIA" },
1654 {0x2d4810, "IOCTL_STORAGE_RESERVE" },
1655 {0x2d4814, "IOCTL_STORAGE_RELEASE" },
1656 {0x2d4818, "IOCTL_STORAGE_FIND_NEW_DEVICES" },
1657 {0x2d5000, "IOCTL_STORAGE_RESET_BUS" },
1658 {0x2d5004, "IOCTL_STORAGE_RESET_DEVICE" },
1659 {0x2d5014, "IOCTL_STORAGE_BREAK_RESERVATION" },
1660 {0x2d5018, "IOCTL_STORAGE_PERSISTENT_RESERVE_IN" },
1661 {0x2d5140, "IOCTL_STORAGE_READ_CAPACITY" },
1662 {0x2d518c, "IOCTL_STORAGE_QUERY_DEPENDENT_DISK" },
1663 {0x2dcc18, "IOCTL_STORAGE_SET_HOTPLUG_INFO" },
1664 {0x2dd01c, "IOCTL_STORAGE_PERSISTENT_RESERVE_OUT" },
1665 {0x38a813, "IOCTL_CHANNEL_GET_SNDCHANNEL" },
1666 {0x4d0000, "IOCTL_MOUNTDEV_QUERY_UNIQUE_ID" },
1667 {0x4d0004, "IOCTL_MOUNTDEV_UNIQUE_ID_CHANGE_NOTIFY" },
1668 {0x4d0008, "IOCTL_MOUNTDEV_QUERY_DEVICE_NAME" },
1669 {0x4d000c, "IOCTL_MOUNTDEV_QUERY_SUGGESTED_LINK_NAME" },
1670 {0x4d0010, "IOCTL_MOUNTDEV_LINK_CREATED" },
1671 {0x4d0014, "IOCTL_MOUNTDEV_LINK_DELETED" },
1672 {0x530018, "IOCTL_VOLSNAP_QUERY_NAMES_OF_SNAPSHOTS" },
1673 {0x530024, "IOCTL_VOLSNAP_QUERY_DIFF_AREA" },
1674 {0x53002c, "IOCTL_VOLSNAP_QUERY_DIFF_AREA_SIZES" },
1675 {0x530034, "IOCTL_VOLSNAP_AUTO_CLEANUP" },
1676 {0x53003c, "IOCTL_VOLSNAP_QUERY_REVERT" },
1677 {0x530040, "IOCTL_VOLSNAP_REVERT_CLEANUP" },
1678 {0x530048, "IOCTL_VOLSNAP_QUERY_REVERT_PROGRESS" },
1679 {0x53004c, "IOCTL_VOLSNAP_CANCEL_REVERT" },
1680 {0x530050, "IOCTL_VOLSNAP_QUERY_EPIC" },
1681 {0x53005e, "IOCTL_VOLSNAP_QUERY_COPY_FREE_BITMAP" },
1682 {0x530190, "IOCTL_VOLSNAP_QUERY_ORIGINAL_VOLUME_NAME" },
1683 {0x53019c, "IOCTL_VOLSNAP_QUERY_CONFIG_INFO" },
1684 {0x5301a0, "IOCTL_VOLSNAP_HAS_CHANGED" },
1685 {0x5301a4, "IOCTL_VOLSNAP_SET_SNAPSHOT_PRIORITY" },
1686 {0x5301a8, "IOCTL_VOLSNAP_QUERY_SNAPSHOT_PRIORITY" },
1687 {0x5301ae, "IOCTL_VOLSNAP_QUERY_DELTA_BITMAP" },
1688 {0x5301b2, "IOCTL_VOLSNAP_QUERY_SNAPSHOT_SUPPLEMENTAL" },
1689 {0x5301b6, "IOCTL_VOLSNAP_QUERY_COPIED_BITMAP" },
1690 {0x5301b8, "IOCTL_VOLSNAP_QUERY_MOVE_LIST" },
1691 {0x5301be, "IOCTL_VOLSNAP_QUERY_PRE_COPIED_BITMAP" },
1692 {0x5301c2, "IOCTL_VOLSNAP_QUERY_USED_PRE_COPIED_BITMAP" },
1693 {0x5301c6, "IOCTL_VOLSNAP_QUERY_DEFRAG_PRE_COPIED_BITMAP" },
1694 {0x5301ca, "IOCTL_VOLSNAP_QUERY_FREESPACE_PRE_COPIED_BITMAP" },
1695 {0x5301ce, "IOCTL_VOLSNAP_QUERY_HOTBLOCKS_PRE_COPIED_BITMAP" },
1696 {0x5301d0, "IOCTL_VOLSNAP_QUERY_DIFF_AREA_FILE_SIZES" },
1697 {0x534054, "IOCTL_VOLSNAP_QUERY_OFFLINE" },
1698 {0x534058, "IOCTL_VOLSNAP_QUERY_DIFF_AREA_MINIMUM_SIZE" },
1699 {0x534064, "IOCTL_VOLSNAP_BLOCK_DELETE_IN_THE_MIDDLE" },
1700 {0x534070, "IOCTL_VOLSNAP_QUERY_APPLICATION_FLAGS" },
1701 {0x534080, "IOCTL_VOLSNAP_QUERY_PERFORMANCE_COUNTERS" },
1702 {0x534088, "IOCTL_VOLSNAP_QUERY_PRE_COPY_AMOUNTS" },
1703 {0x53408c, "IOCTL_VOLSNAP_QUERY_DEFAULT_PRE_COPY_AMOUNTS" },
1704 {0x53c000, "IOCTL_VOLSNAP_FLUSH_AND_HOLD_WRITES" },
1705 {0x53c004, "IOCTL_VOLSNAP_RELEASE_WRITES" },
1706 {0x53c008, "IOCTL_VOLSNAP_PREPARE_FOR_SNAPSHOT" },
1707 {0x53c00c, "IOCTL_VOLSNAP_ABORT_PREPARED_SNAPSHOT" },
1708 {0x53c010, "IOCTL_VOLSNAP_COMMIT_SNAPSHOT" },
1709 {0x53c014, "IOCTL_VOLSNAP_END_COMMIT_SNAPSHOT" },
1710 {0x53c01c, "IOCTL_VOLSNAP_CLEAR_DIFF_AREA" },
1711 {0x53c020, "IOCTL_VOLSNAP_ADD_VOLUME_TO_DIFF_AREA" },
1712 {0x53c028, "IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE" },
1713 {0x53c030, "IOCTL_VOLSNAP_DELETE_OLDEST_SNAPSHOT" },
1714 {0x53c038, "IOCTL_VOLSNAP_DELETE_SNAPSHOT" },
1715 {0x53c044, "IOCTL_VOLSNAP_REVERT" },
1716 {0x53c068, "IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE_TEMP" },
1717 {0x53c06c, "IOCTL_VOLSNAP_SET_APPLICATION_FLAGS" },
1718 {0x53c07c, "IOCTL_VOLSNAP_SET_BC_FAILURE_MODE" },
1719 {0x53c084, "IOCTL_VOLSNAP_SET_PRE_COPY_AMOUNTS" },
1720 {0x53c090, "IOCTL_VOLSNAP_PRE_EXPOSE_DEVICES" },
1721 {0x53c198, "IOCTL_VOLSNAP_SET_APPLICATION_INFO" },
1722 {0x560000, "IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS" },
1723 {0x560038, "IOCTL_VOLUME_GET_GPT_ATTRIBUTES" },
1724 {0x700010, "IOCTL_DISK_QUERY_DEVICE_STATE" },
1725 {0x704008, "IOCTL_DISK_QUERY_DISK_SIGNATURE" },
1726 { 0, NULL((void*)0) }
1727};
1728static value_string_ext ioctl_code_vals_ext = VALUE_STRING_EXT_INIT(ioctl_code_vals){ _try_val_to_str_ext_init, 0, (sizeof (ioctl_code_vals) / sizeof
((ioctl_code_vals)[0]))-1, ioctl_code_vals, "ioctl_code_vals"
, ((void*)0) };
1729
1730
1731static const value_string sync_type_vals[] = {
1732 { 0x0, "Other" },
1733 { 0x1, "Create Section" },
1734 { 0, NULL((void*)0) }
1735};
1736
1737static const value_string page_protection_vals[] = {
1738 { 0x0, "None" },
1739 { 0x01, "No Access" },
1740 { 0x02, "Read Only" },
1741 { 0x04, "Read/Write" },
1742 { 0x08, "Write Copy" },
1743 { 0x10, "Execute" },
1744 { 0x20, "Execute Read" },
1745 { 0x40, "Execute Read/Write" },
1746 { 0x200, "No Cache" },
1747 { 0, NULL((void*)0) }
1748};
1749
1750static const value_string file_information_class_vals[] = {
1751 {0, "Unknown"},
1752 {1, "File Directory Information"},
1753 {2, "File Full Directory Information"},
1754 {3, "File Both Directory Information"},
1755 {4, "File Basic Information"},
1756 {5, "File Standard Information"},
1757 {6, "File Internal Information"},
1758 {7, "File Ea Information"},
1759 {8, "File Access Information"},
1760 {9, "File Name Information"},
1761 {10, "File Rename Information"},
1762 {11, "File Link Information"},
1763 {12, "File Names Information"},
1764 {13, "File Disposition Information"},
1765 {14, "File Position Information"},
1766 {15, "File Full Ea Information"},
1767 {16, "File Mode Information"},
1768 {17, "File Alignment Information"},
1769 {18, "File All Information"},
1770 {19, "File Allocation Information"},
1771 {20, "File End Of File Information"},
1772 {21, "File Alternate Name Information"},
1773 {22, "File Stream Information"},
1774 {23, "File Pipe Information"},
1775 {24, "File Pipe Local Information"},
1776 {25, "File Pipe Remote Information"},
1777 {26, "File Mailslot Query Information"},
1778 {27, "File Mailslot Set Information"},
1779 {28, "File Compression Information"},
1780 {29, "File ObjectId Information"},
1781 {30, "File Completion Information"},
1782 {31, "File Move Cluster Information"},
1783 {32, "File Quota Information"},
1784 {33, "File Reparse Point Information"},
1785 {34, "File Network Open Information"},
1786 {35, "File Attribute Tag Information"},
1787 {36, "File Tracking Information"},
1788 {37, "File Id Both Directory Information"},
1789 {38, "File Id Full Directory Information"},
1790 {39, "File Valid Data Length Information"},
1791 {40, "File Short Name Information"},
1792 {41, "File Io Completion Notification Information"},
1793 {42, "File Io Status Block Range Information"},
1794 {43, "File Io Priority Hint Information"},
1795 {44, "File Sfio Reserve Information"},
1796 {45, "File Sfio Volume Information"},
1797 {46, "File Hard Link Information"},
1798 {47, "File Process Ids Using File Information"},
1799 {48, "File Normalized Name Information"},
1800 {49, "File Network Physical Name Information"},
1801 {50, "File Id Global Tx Directory Information"},
1802 {51, "File Is Remote Device Information"},
1803 {52, "File Unused Information"},
1804 {53, "File Numa Node Information"},
1805 {54, "File Standard Link Information"},
1806 {55, "File Remote Protocol Information"},
1807 {56, "File Rename Information Bypass Access Check"},
1808 {57, "File Link Information Bypass Access Check"},
1809 {58, "File Volume Name Information"},
1810 {59, "File Id Information"},
1811 {60, "File Id Extended Directory Information"},
1812 {61, "File Replace Completion Information"},
1813 {62, "File Hard Link Full Id Information"},
1814 {63, "File Id Extended Both Directory Information"},
1815 {64, "File Disposition Information Ex"},
1816 {65, "File Rename Information Ex"},
1817 {66, "File Rename Information Ex Bypass Access Check"},
1818 {67, "File Desired Storage Class Information"},
1819 {68, "File Stat Information"},
1820 {69, "File Memory Partition Information"},
1821 {70, "File Maximum Information"},
1822 {71, "SeShutdownPrivilege"},
1823 {72, "SeChangeNotifyPrivilege"},
1824 {73, "SeUndockPrivilege"},
1825 {74, "SeIncreaseWorkingSetPrivilege"},
1826 {75, "SeTimeZonePrivilege"},
1827 { 0, NULL((void*)0) }
1828};
1829
1830static bool_Bool dissect_procmon_filesystem_event(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, uint32_t operation, tvbuff_t* extra_details_tvb)
1831{
1832 proto_tree* filesystem_tree;
1833 int offset = 0, extra_offset = 0;
1834 uint32_t sub_operation, ioctl_value = 0, file_information_class = 0;
1835 int size_of_pointer;
1836 bool_Bool is_path_ascii;
1837 uint16_t path_char_count;
1838 const value_string* sub_op_vals = NULL((void*)0);
1839 uint32_t file_system_access_mask_mapping[4] = {0x120089, 0x120116, 0x1200a0, 0x1f01ff};
1840 static const value_string file_system_access_mask_vals[] = {
1841 {0x1f01ff, "All Access"},
1842 {0x1201bf, "Generic Read/Write/Execute"},
1843 {0x12019f, "Generic Read/Write"},
1844 {0x1200a9, "Generic Read/Execute"},
1845 {0x1201b6, "Generic Write/Execute"},
1846 {0x120089, "Generic Read"},
1847 {0x120116, "Generic Write"},
1848 {0x1200a0, "Generic Execute"},
1849 {0x1, "Read Data/List Directory"},
1850 {0x2, "Write Data/Add File"},
1851 {0x4, "Append Data/Add Subdirectory/Create Pipe Instance"},
1852 {0x8, "Read EA"},
1853 {0x10, "Write EA"},
1854 {0x20, "Execute/Traverse"},
1855 {0x40, "Delete Child"},
1856 {0x80, "Read Attributes"},
1857 {0x100, "Write Attributes"},
1858 {0x10000, "Delete"},
1859 {0x20000, "Read Control"},
1860 {0x40000, "Write DAC"},
1861 {0x80000, "Write Owner"},
1862 {0x100000, "Synchronize"},
1863 {0x1000000, "Access System Security"},
1864 {0x2000000, "Maximum Allowed"},
1865 { 0, NULL((void*)0) }
1866 };
1867 static const value_string file_system_io_flags_vals[] = {
1868 {0x10, "Buffered"},
1869 {0x1, "Non-cached"},
1870 {0x2, "Paging I/O"},
1871 {0x4, "Synchronous"},
1872 {0x40, "Synchronous Paging I/O"},
1873 {0x400000, "Write Through"},
1874 { 0, NULL((void*)0) }
1875 };
1876
1877 if (pinfo->pseudo_header->procmon.system_bitness)
1878 {
1879 size_of_pointer = 8;
1880 }
1881 else
1882 {
1883 size_of_pointer = 4;
1884 }
1885
1886 filesystem_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_procmon_filesystem_event, NULL((void*)0), "File System Data");
1887
1888 /* Handle the cases where the Sub operation value string is based on the operation */
1889 sub_operation = tvb_get_uint8(tvb, offset);
1890 switch(operation)
1891 {
1892 case PROCMON_FILESYSTEM_OPERATION_QUERY_INFORMATION_FILE25:
1893 sub_op_vals = filesystem_operation_query_info_vals;
1894 break;
1895 case PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE26:
1896 sub_op_vals = filesystem_operation_set_info_vals;
1897 break;
1898 case PROCMON_FILESYSTEM_OPERATION_QUERY_VOLUME_INFORMATION30:
1899 sub_op_vals = filesystem_operation_query_volume_info_vals;
1900 break;
1901 case PROCMON_FILESYSTEM_OPERATION_SET_VOLUME_INFORMATION31:
1902 sub_op_vals = filesystem_operation_set_volume_info_vals;
1903 break;
1904 case PROCMON_FILESYSTEM_OPERATION_DIRECTORY_CONTROL32:
1905 sub_op_vals = filesystem_operation_directory_control_vals;
1906 break;
1907 case PROCMON_FILESYSTEM_OPERATION_PLUG_AND_PLAY47:
1908 sub_op_vals = filesystem_operation_pnp_vals;
1909 break;
1910 case PROCMON_FILESYSTEM_OPERATION_LOCK_UNLOCK_FILE37:
1911 sub_op_vals = filesystem_operation_lock_unlock_file_vals;
1912 break;
1913 }
1914 if (sub_op_vals != NULL((void*)0))
1915 {
1916 proto_tree_add_uint_format_value(filesystem_tree, hf_procmon_filesystem_suboperation, tvb, offset, 1, sub_operation, "%s (%u)",
1917 val_to_str_const(sub_operation, sub_op_vals, "Unknown"), sub_operation);
1918 }
1919 else
1920 {
1921 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_suboperation, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
1922 }
1923 offset += 1;
1924 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_padding, tvb, offset, 3, ENC_NA0x00000000);
1925 offset += 3;
1926
1927 switch(operation)
1928 {
1929 case PROCMON_FILESYSTEM_OPERATION_CREATE_FILE20:
1930 {
1931 static const value_string file_system_create_file_options_vals[] = {
1932 {0x1, "Directory"},
1933 {0x2, "Write Through"},
1934 {0x4, "Sequential Access"},
1935 {0x8, "No Buffering"},
1936 {0x10, "Synchronous IO Alert"},
1937 {0x20, "Synchronous IO Non-Alert"},
1938 {0x40, "Non-Directory File"},
1939 {0x80, "Create Tree Connection"},
1940 {0x100, "Complete If Oplocked"},
1941 {0x200, "No EA Knowledge"},
1942 {0x400, "Open for Recovery"},
1943 {0x800, "Random Access"},
1944 {0x1000, "Delete On Close"},
1945 {0x2000, "Open By ID"},
1946 {0x4000, "Open For Backup"},
1947 {0x8000, "No Compression"},
1948 {0x100000, "Reserve OpFilter"},
1949 {0x200000, "Open Reparse Point"},
1950 {0x400000, "Open No Recall"},
1951 {0x800000, "Open For Free Space Query"},
1952 {0x10000, "Open Requiring Oplock"},
1953 {0x20000, "Disallow Exclusive"},
1954 { 0, NULL((void*)0) }
1955 };
1956
1957 static const value_string file_system_create_file_attribute_vals[] = {
1958 {0x1, "R"},
1959 {0x2, "H"},
1960 {0x4, "S"},
1961 {0x10, "D"},
1962 {0x20, "A"},
1963 {0x40, "D"},
1964 {0x80, "N"},
1965 {0x100, "T"},
1966 {0x200, "SF"},
1967 {0x400, "RP"},
1968 {0x800, "C"},
1969 {0x1000, "O"},
1970 {0x2000, "NCI"},
1971 {0x4000, "E"},
1972 {0x10000, "V"},
1973 { 0, NULL((void*)0) }
1974 };
1975
1976 static const value_string file_system_create_file_shared_mode_vals[] = {
1977 {0x1, "Read"},
1978 {0x2, "Write"},
1979 {0x4, "Delete"},
1980 { 0, NULL((void*)0) }
1981 };
1982
1983 int create_file_offset;
1984 if (size_of_pointer == 4)
1985 {
1986 create_file_offset = offset+16;
1987 }
1988 else
1989 {
1990 create_file_offset = offset+20; //Padding for 64-bit
1991 }
1992
1993 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_create_file_disposition, tvb, create_file_offset, 1, ENC_LITTLE_ENDIAN0x80000000);
1994 create_file_offset += 1;
1995 dissect_procmon_access_mask(tvb, pinfo, filesystem_tree, create_file_offset, hf_procmon_filesystem_create_file_options, 3, NULL((void*)0), file_system_create_file_options_vals);
1996 create_file_offset += 3;
1997
1998 if (size_of_pointer == 8)
1999 create_file_offset += 4; //Padding for 64-bit
2000
2001 uint16_t attributes = tvb_get_letohs(tvb, create_file_offset);
2002 if (attributes == 0)
2003 {
2004 proto_tree_add_uint_format_value(filesystem_tree, hf_procmon_filesystem_create_file_attributes, tvb, create_file_offset, 2, attributes, "N/A");
2005 }
2006 else
2007 {
2008 dissect_procmon_access_mask(tvb, pinfo, filesystem_tree, create_file_offset, hf_procmon_filesystem_create_file_attributes, 3, NULL((void*)0), file_system_create_file_attribute_vals);
2009 }
2010 create_file_offset += 2;
2011 dissect_procmon_access_mask(tvb, pinfo, filesystem_tree, create_file_offset, hf_procmon_filesystem_create_file_share_mode, 2, NULL((void*)0), file_system_create_file_shared_mode_vals);
2012 create_file_offset += 2;
2013
2014 //Unknown fields
2015 create_file_offset += (4 + size_of_pointer*2);
2016
2017 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_create_file_allocation, tvb, create_file_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2018 create_file_offset += 4;
2019
2020 if (tvb_reported_length(extra_details_tvb) > 0)
2021 {
2022 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_create_file_open_result, extra_details_tvb, extra_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2023 extra_offset += 4;
2024 }
2025
2026 break;
2027 }
2028 case PROCMON_FILESYSTEM_OPERATION_READ_FILE23:
2029 case PROCMON_FILESYSTEM_OPERATION_WRITE_FILE24:
2030 {
2031 int file_offset = offset;
2032 //Unknown fields
2033 file_offset += 4;
2034
2035 dissect_procmon_access_mask(tvb, pinfo, filesystem_tree, file_offset, hf_procmon_filesystem_readwrite_file_io_flags, 4, NULL((void*)0), file_system_io_flags_vals);
2036 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_readwrite_file_priority, tvb, file_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2037 file_offset += 4;
2038
2039 //Unknown fields
2040 file_offset += 4;
2041
2042 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_readwrite_file_length, tvb, file_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2043 file_offset += 4;
2044 if (size_of_pointer == 8)
2045 file_offset += 4; //Padding for 64-bit
2046
2047 //Unknown fields
2048 file_offset += 4;
2049 if (size_of_pointer == 8)
2050 file_offset += 4; //Padding for 64-bit
2051
2052 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_readwrite_file_offset, tvb, file_offset, 8, ENC_LITTLE_ENDIAN0x80000000);
2053 if (tvb_reported_length(extra_details_tvb) > 0)
2054 {
2055 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_readwrite_file_result_length, extra_details_tvb, extra_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2056 extra_offset += 4;
2057 }
2058
2059 break;
2060 }
2061 case PROCMON_FILESYSTEM_OPERATION_FILE_SYSTEM_CONTROL33:
2062 case PROCMON_FILESYSTEM_OPERATION_DEVICE_IO_CONTROL34:
2063 {
2064 int control_offset = offset;
2065 //Unknown fields
2066 control_offset += 8;
2067
2068 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_ioctl_write_length, tvb, control_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2069 control_offset += 4;
2070 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_ioctl_read_length, tvb, control_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2071 control_offset += 4;
2072
2073 if (size_of_pointer == 8)
2074 control_offset += 4; //Padding for 64-bit
2075
2076 //Unknown fields
2077 control_offset += 4;
2078 if (size_of_pointer == 8)
2079 control_offset += 4; //Padding for 64-bit
2080
2081 ioctl_value = tvb_get_letohl(tvb, control_offset);
2082 if (try_val_to_str_ext(ioctl_value, &ioctl_code_vals_ext) == NULL((void*)0))
2083 {
2084 proto_tree_add_uint_format_value(filesystem_tree, hf_procmon_filesystem_ioctl_ioctl, tvb, control_offset, 4, ioctl_value,
2085 "0x%08x (Device:0x%08x Function:%d Method: %d)", ioctl_value, ioctl_value >> 16, (ioctl_value >> 2) & 0xfff, ioctl_value & 3);
2086 }
2087 else
2088 {
2089 proto_tree_add_uint(filesystem_tree, hf_procmon_filesystem_ioctl_ioctl, tvb, control_offset, 4, ioctl_value);
2090 }
2091 control_offset += 4;
2092
2093 break;
2094 }
2095 case PROCMON_FILESYSTEM_OPERATION_CREATE_FILE_MAPPING19:
2096 {
2097 int mapping_offset = offset;
2098 //Unknown fields
2099 mapping_offset += 12;
2100 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_create_file_mapping_sync_type, tvb, mapping_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2101 mapping_offset += 4;
2102 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_create_file_mapping_page_protection, tvb, mapping_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2103 break;
2104 }
2105 case PROCMON_FILESYSTEM_OPERATION_DIRECTORY_CONTROL32:
2106 {
2107 int control_offset = offset;
2108 switch(sub_operation)
2109 {
2110 case PROCMON_FILESYSTEM_OPERATION_DIRECTORY_CONTROL_QUERY0x01:
2111 //Unknown fields
2112 control_offset += 16;
2113 if (size_of_pointer == 8)
2114 control_offset += 4; //Padding for 64-bit
2115 //Unknown fields
2116 control_offset += 4;
2117 if (size_of_pointer == 8)
2118 control_offset += 4; //Padding for 64-bit
2119
2120 proto_tree_add_item_ret_uint(filesystem_tree, hf_procmon_filesystem_directory_control_file_information_class, tvb, control_offset, 4, ENC_LITTLE_ENDIAN0x80000000, &file_information_class);
2121 if (tvb_reported_length(extra_details_tvb) > 0)
2122 {
2123 nstime_t timestamp;
2124 uint32_t name_length, next_entry_offset;
2125 switch (file_information_class)
2126 {
2127 case 1: // File Directory Information
2128 case 2: // File Full Directory Information
2129 case 3: // File Both Directory Information
2130 case 12: // File Names Information
2131 case 37: // File Id Both Directory Information
2132 case 38: // File Id Full Directory Information
2133 do
2134 {
2135 int start_extra_offset = extra_offset;
2136 proto_item* information_item;
2137 proto_tree* information_tree = proto_tree_add_subtree(filesystem_tree, extra_details_tvb, extra_offset, 0, ett_procmon_filesystem_information, &information_item, "Information");
2138
2139 proto_tree_add_item_ret_uint(information_tree, hf_procmon_filesystem_directory_control_query_next_entry_offset, extra_details_tvb, extra_offset, 4, ENC_LITTLE_ENDIAN0x80000000, &next_entry_offset);
2140 extra_offset += 4;
2141 proto_tree_add_item(information_tree, hf_procmon_filesystem_directory_control_query_file_index, extra_details_tvb, extra_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2142 extra_offset += 4;
2143 if (file_information_class == 12)
2144 {
2145 // File Names Information
2146 proto_tree_add_item_ret_uint(information_tree, hf_procmon_filesystem_directory_control_query_name_length, extra_details_tvb, extra_offset, 4, ENC_LITTLE_ENDIAN0x80000000, &name_length);
2147 extra_offset += 4;
2148 proto_tree_add_item(information_tree, hf_procmon_filesystem_directory_control_query_name, extra_details_tvb, extra_offset, name_length, ENC_UTF_160x00000004 | ENC_LITTLE_ENDIAN0x80000000);
2149 extra_offset += name_length;
2150 proto_item_set_len(information_item, extra_offset-start_extra_offset);
2151 continue;
2152 }
2153
2154 filetime_to_nstime(&timestamp, tvb_get_letoh64(extra_details_tvb, extra_offset));
2155 proto_tree_add_time(information_tree, hf_procmon_filesystem_directory_control_query_creation_time, extra_details_tvb, extra_offset, 8, &timestamp);
2156 extra_offset += 8;
2157 filetime_to_nstime(&timestamp, tvb_get_letoh64(extra_details_tvb, extra_offset));
2158 proto_tree_add_time(information_tree, hf_procmon_filesystem_directory_control_query_last_access_time, extra_details_tvb, extra_offset, 8, &timestamp);
2159 extra_offset += 8;
2160 filetime_to_nstime(&timestamp, tvb_get_letoh64(extra_details_tvb, extra_offset));
2161 proto_tree_add_time(information_tree, hf_procmon_filesystem_directory_control_query_last_write_time, extra_details_tvb, extra_offset, 8, &timestamp);
2162 extra_offset += 8;
2163 filetime_to_nstime(&timestamp, tvb_get_letoh64(extra_details_tvb, extra_offset));
2164 proto_tree_add_time(information_tree, hf_procmon_filesystem_directory_control_query_change_time, extra_details_tvb, extra_offset, 8, &timestamp);
2165 extra_offset += 8;
2166 proto_tree_add_item(information_tree, hf_procmon_filesystem_directory_control_query_end_of_file, extra_details_tvb, extra_offset, 8, ENC_LITTLE_ENDIAN0x80000000);
2167 extra_offset += 8;
2168 proto_tree_add_item(information_tree, hf_procmon_filesystem_directory_control_query_allocation_size, extra_details_tvb, extra_offset, 8, ENC_LITTLE_ENDIAN0x80000000);
2169 extra_offset += 8;
2170 proto_tree_add_item(information_tree, hf_procmon_filesystem_directory_control_query_file_attributes, extra_details_tvb, extra_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2171 extra_offset += 4;
2172 proto_tree_add_item_ret_uint(information_tree, hf_procmon_filesystem_directory_control_query_name_length, extra_details_tvb, extra_offset, 4, ENC_LITTLE_ENDIAN0x80000000, &name_length);
2173 extra_offset += 4;
2174 if (file_information_class == 1)
2175 {
2176 proto_tree_add_item(information_tree, hf_procmon_filesystem_directory_control_query_name, extra_details_tvb, extra_offset, name_length, ENC_UTF_160x00000004 | ENC_LITTLE_ENDIAN0x80000000);
2177 extra_offset += name_length;
2178 proto_item_set_len(information_item, extra_offset - start_extra_offset);
2179 continue;
2180 }
2181 proto_tree_add_item(information_tree, hf_procmon_filesystem_directory_control_query_file_ea_size, extra_details_tvb, extra_offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2182 extra_offset += 4;
2183 if (file_information_class == 2)
2184 {
2185 proto_tree_add_item(information_tree, hf_procmon_filesystem_directory_control_query_name, extra_details_tvb, extra_offset, name_length, ENC_UTF_160x00000004 | ENC_LITTLE_ENDIAN0x80000000);
2186 extra_offset += name_length;
2187 proto_item_set_len(information_item, extra_offset - start_extra_offset);
2188 continue;
2189 }
2190 if (file_information_class == 38)
2191 {
2192 proto_tree_add_item(information_tree, hf_procmon_filesystem_directory_control_query_file_id, extra_details_tvb, extra_offset, 8, ENC_LITTLE_ENDIAN0x80000000);
2193 extra_offset += 8;
2194 proto_tree_add_item(information_tree, hf_procmon_filesystem_directory_control_query_name, extra_details_tvb, extra_offset, name_length, ENC_UTF_160x00000004 | ENC_LITTLE_ENDIAN0x80000000);
2195 extra_offset += name_length;
2196 proto_item_set_len(information_item, extra_offset - start_extra_offset);
2197 continue;
2198 }
2199 proto_tree_add_item(information_tree, hf_procmon_filesystem_directory_control_query_short_name_length, extra_details_tvb, extra_offset, 1, ENC_LITTLE_ENDIAN0x80000000);
2200 extra_offset += 1;
2201 proto_tree_add_item(information_tree, hf_procmon_filesystem_padding, extra_details_tvb, extra_offset, 1, ENC_NA0x00000000);
2202 extra_offset += 1;
2203 proto_tree_add_item(information_tree, hf_procmon_filesystem_directory_control_query_short_name, extra_details_tvb, extra_offset, 24, ENC_UTF_160x00000004 | ENC_LITTLE_ENDIAN0x80000000);
2204 extra_offset += 24;
2205 if (file_information_class == 3)
2206 {
2207 proto_tree_add_item(information_tree, hf_procmon_filesystem_directory_control_query_name, extra_details_tvb, extra_offset, name_length, ENC_UTF_160x00000004 | ENC_LITTLE_ENDIAN0x80000000);
2208 extra_offset += name_length;
2209 proto_item_set_len(information_item, extra_offset - start_extra_offset);
2210 continue;
2211 }
2212 proto_tree_add_item(information_tree, hf_procmon_filesystem_padding, extra_details_tvb, extra_offset, 2, ENC_NA0x00000000);
2213 extra_offset += 2;
2214 proto_tree_add_item(information_tree, hf_procmon_filesystem_directory_control_query_name, extra_details_tvb, extra_offset, name_length, ENC_UTF_160x00000004 | ENC_LITTLE_ENDIAN0x80000000);
2215 extra_offset += name_length;
2216 proto_item_set_len(information_item, extra_offset - start_extra_offset);
2217 }
2218 while ((tvb_reported_length_remaining(extra_details_tvb, extra_offset) > 0) && (next_entry_offset != 0));
2219 break;
2220 }
2221 }
2222 break;
2223 case PROCMON_FILESYSTEM_OPERATION_DIRECTORY_CONTROL_NOTIFY_CHANGE0x02:
2224 {
2225 static const value_string file_system_create_notify_change_flags_vals[] = {
2226 {0x1, "FILE_NOTIFY_CHANGE_FILE_NAME"},
2227 {0x2, "FILE_NOTIFY_CHANGE_DIR_NAME"},
2228 {0x3, "FILE_NOTIFY_CHANGE_NAME"},
2229 {0x4, "FILE_NOTIFY_CHANGE_ATTRIBUTES"},
2230 {0x8, "FILE_NOTIFY_CHANGE_SIZE"},
2231 {0x10, "FILE_NOTIFY_CHANGE_LAST_WRITE"},
2232 {0x20, "FILE_NOTIFY_CHANGE_LAST_ACCESS"},
2233 {0x40, "FILE_NOTIFY_CHANGE_CREATION"},
2234 {0x80, "FILE_NOTIFY_CHANGE_EA"},
2235 {0x100, "FILE_NOTIFY_CHANGE_SECURITY"},
2236 {0x200, "FILE_NOTIFY_CHANGE_STREAM_NAME"},
2237 {0x400, "FILE_NOTIFY_CHANGE_STREAM_SIZE"},
2238 {0x800, "FILE_NOTIFY_CHANGE_STREAM_WRITE"},
2239 { 0, NULL((void*)0) }
2240 };
2241
2242 //Unknown fields
2243 control_offset += 16;
2244 if (size_of_pointer == 8)
2245 control_offset += 4; //Padding for 64-bit
2246
2247 dissect_procmon_access_mask(tvb, pinfo, filesystem_tree, control_offset, hf_procmon_filesystem_directory_control_notify_change_flags, 4, NULL((void*)0), file_system_create_notify_change_flags_vals);
2248 break;
2249 }
2250 default:
2251 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_details, tvb, offset, 5 * size_of_pointer + 20, ENC_NA0x00000000);
2252 break;
2253 }
2254 break;
2255 }
2256 default:
2257 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_details, tvb, offset, 5 * size_of_pointer + 20, ENC_NA0x00000000);
2258 break;
2259 }
2260 offset += (5 * size_of_pointer + 20);
2261
2262 dissect_procmon_detail_string_info(tvb, filesystem_tree, offset,
2263 hf_procmon_filesystem_path_size, hf_procmon_filesystem_path_is_ascii, hf_procmon_filesystem_path_char_count, ett_procmon_filesystem_path,
2264 &is_path_ascii, &path_char_count);
2265 offset += 2;
2266 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_padding, tvb, offset, 2, ENC_NA0x00000000);
2267 offset += 2;
2268 offset = dissect_procmon_detail_string(tvb, filesystem_tree, offset, is_path_ascii, path_char_count, hf_procmon_filesystem_path);
2269
2270 switch(operation)
2271 {
2272 case PROCMON_FILESYSTEM_OPERATION_CREATE_FILE20:
2273 {
2274 uint32_t sid_length;
2275 dissect_procmon_access_mask(tvb, pinfo, filesystem_tree, offset, hf_procmon_filesystem_create_file_access_mask, 4, file_system_access_mask_mapping, file_system_access_mask_vals);
2276 offset += 4;
2277 proto_tree_add_item_ret_uint(filesystem_tree, hf_procmon_filesystem_create_file_impersonating_sid_length, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000, &sid_length);
2278 offset += 1;
2279 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_padding, tvb, offset, 3, ENC_NA0x00000000);
2280 offset += 3;
2281 if (sid_length > 0)
2282 {
2283 uint32_t revision, count, value;
2284 uint64_t identifier_authority;
2285 int sid_offset = offset;
2286 proto_item* sid_item;
2287 wmem_strbuf_t* impersonating_strbuf = wmem_strbuf_new(pinfo->pool, "S-");
2288 proto_tree* impersonating_tree = proto_tree_add_subtree(filesystem_tree, tvb, sid_offset, sid_length, ett_procmon_filesystem_create_file_impersonating, &sid_item, "Impersonating SID");
2289 proto_tree_add_item_ret_uint(impersonating_tree, hf_procmon_filesystem_create_file_sid_revision, tvb, sid_offset, 1, ENC_LITTLE_ENDIAN0x80000000, &revision);
2290 sid_offset += 1;
2291 proto_tree_add_item_ret_uint(impersonating_tree, hf_procmon_filesystem_create_file_sid_count, tvb, sid_offset, 1, ENC_LITTLE_ENDIAN0x80000000, &count);
2292 sid_offset += 1;
2293 proto_tree_add_item_ret_uint64(impersonating_tree, hf_procmon_filesystem_create_file_sid_authority, tvb, sid_offset, 6, ENC_BIG_ENDIAN0x00000000, &identifier_authority);
2294 sid_offset += 6;
2295 wmem_strbuf_append_printf(impersonating_strbuf, "%u-%012" PRIx64"l" "x", revision, identifier_authority);
2296 for (uint32_t i = 0; i < count; i++)
2297 {
2298 proto_tree_add_item_ret_uint(impersonating_tree, hf_procmon_filesystem_create_file_sid_value, tvb, sid_offset, 4, ENC_LITTLE_ENDIAN0x80000000, &value);
2299 wmem_strbuf_append_printf(impersonating_strbuf, "-%08x", value);
2300 sid_offset += 4;
2301 }
2302 proto_item* sid_string_item = proto_tree_add_string(impersonating_tree, hf_procmon_filesystem_create_file_impersonating, tvb, offset, sid_offset - offset, wmem_strbuf_get_str(impersonating_strbuf));
2303 PROTO_ITEM_SET_GENERATED(sid_string_item)proto_item_set_generated((sid_string_item));
2304 proto_item_append_text(sid_item, " (%s)", wmem_strbuf_get_str(impersonating_strbuf));
2305 }
2306 break;
2307 }
2308 case PROCMON_FILESYSTEM_OPERATION_FILE_SYSTEM_CONTROL33:
2309 case PROCMON_FILESYSTEM_OPERATION_DEVICE_IO_CONTROL34:
2310 switch (ioctl_value)
2311 {
2312 case 0x94264: // FSCTL_OFFLOAD_READ
2313 offset += 8;
2314 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_ioctl_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
2315 offset += 8;
2316 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_ioctl_length, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
2317 offset += 8;
2318 break;
2319 case 0x98268: // FSCTL_OFFLOAD_WRITE
2320 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_ioctl_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
2321 offset += 8;
2322 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_ioctl_length, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
2323 offset += 8;
2324 break;
2325 }
2326 break;
2327
2328 case PROCMON_FILESYSTEM_OPERATION_DIRECTORY_CONTROL32:
2329 dissect_procmon_detail_string_info(tvb, filesystem_tree, offset,
2330 hf_procmon_filesystem_directory_size, hf_procmon_filesystem_directory_is_ascii, hf_procmon_filesystem_directory_char_count, ett_procmon_filesystem_directory,
2331 &is_path_ascii, &path_char_count);
2332 offset += 2;
2333 offset = dissect_procmon_detail_string(tvb, filesystem_tree, offset, is_path_ascii, path_char_count, hf_procmon_filesystem_directory);
2334 break;
2335
2336 case PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE26:
2337 switch (sub_operation)
2338 {
2339 case PROCMON_FILESYSTEM_OPERATION_SET_INFORMATION_FILE_DISPOSITION0x0D:
2340 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_set_info_file_disposition_delete, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
2341 offset += 1;
2342 proto_tree_add_item(filesystem_tree, hf_procmon_filesystem_padding, tvb, offset, 3, ENC_NA0x00000000);
2343 offset += 3;
2344 break;
2345 }
2346 break;
2347
2348 default:
2349 break;
2350 }
2351
2352 return (extra_offset > 0);
2353}
2354
2355#define PROCMON_PROFILING_OPERATION_THREAD0x0000 0x0000
2356#define PROCMON_PROFILING_OPERATION_PROCESS0x0001 0x0001
2357#define PROCMON_PROFILING_OPERATION_DEBUG_OUTPUT0x0002 0x0002
2358
2359static const value_string profiling_operation_vals[] = {
2360 { PROCMON_PROFILING_OPERATION_THREAD0x0000, "Thread" },
2361 { PROCMON_PROFILING_OPERATION_PROCESS0x0001, "Process" },
2362 { PROCMON_PROFILING_OPERATION_DEBUG_OUTPUT0x0002, "Debug Output" },
2363 { 0, NULL((void*)0) }
2364};
2365
2366static bool_Bool dissect_procmon_profiling_event(tvbuff_t* tvb, packet_info* pinfo _U___attribute__((unused)), proto_tree* tree, uint32_t operation, tvbuff_t* extra_details_tvb _U___attribute__((unused)))
2367{
2368 int offset = 0;
2369
2370 proto_tree_add_subtree(tree, tvb, offset, -1, ett_procmon_profiling_event, NULL((void*)0), "Profiling Data");
2371
2372 switch(operation)
2373 {
2374 case PROCMON_PROFILING_OPERATION_THREAD0x0000:
2375 case PROCMON_PROFILING_OPERATION_PROCESS0x0001:
2376 case PROCMON_PROFILING_OPERATION_DEBUG_OUTPUT0x0002:
2377 //Unknown
2378 break;
2379 default:
2380 break;
2381 }
2382
2383 return false0;
2384}
2385
2386#define PROCMON_NETWORK_OPERATION_UNKNOWN0x0000 0x0000
2387#define PROCMON_NETWORK_OPERATION_OTHER0x0001 0x0001
2388#define PROCMON_NETWORK_OPERATION_SEND0x0002 0x0002
2389#define PROCMON_NETWORK_OPERATION_RECEIVE0x0003 0x0003
2390#define PROCMON_NETWORK_OPERATION_ACCEPT0x0004 0x0004
2391#define PROCMON_NETWORK_OPERATION_CONNECT0x0005 0x0005
2392#define PROCMON_NETWORK_OPERATION_DISCONNECT0x0006 0x0006
2393#define PROCMON_NETWORK_OPERATION_RECONNECT0x0007 0x0007
2394#define PROCMON_NETWORK_OPERATION_RETRANSMIT0x0008 0x0008
2395#define PROCMON_NETWORK_OPERATION_TCP_COPY0x0009 0x0009
2396
2397static const value_string network_operation_vals[] = {
2398 { PROCMON_NETWORK_OPERATION_UNKNOWN0x0000, "Unknown" },
2399 { PROCMON_NETWORK_OPERATION_OTHER0x0001, "Other" },
2400 { PROCMON_NETWORK_OPERATION_SEND0x0002, "Send" },
2401 { PROCMON_NETWORK_OPERATION_RECEIVE0x0003, "Receive" },
2402 { PROCMON_NETWORK_OPERATION_ACCEPT0x0004, "Accept" },
2403 { PROCMON_NETWORK_OPERATION_CONNECT0x0005, "Connect" },
2404 { PROCMON_NETWORK_OPERATION_DISCONNECT0x0006, "Disconnect" },
2405 { PROCMON_NETWORK_OPERATION_RECONNECT0x0007, "Reconnect" },
2406 { PROCMON_NETWORK_OPERATION_RETRANSMIT0x0008, "Retransmit" },
2407 { PROCMON_NETWORK_OPERATION_TCP_COPY0x0009, "TCP Copy" },
2408 { 0, NULL((void*)0) }
2409};
2410
2411static const true_false_string tfs_tcp_udp = { "TCP", "UDP" };
2412
2413#define NETWORK_FLAG_IS_SRC_IPv4_MASK0x0001 0x0001
2414#define NETWORK_FLAG_IS_DEST_IPv4_MASK0x0002 0x0002
2415#define NETWORK_FLAG_IS_TCP_MASK0x0004 0x0004
2416
2417static bool_Bool dissect_procmon_network_event(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, uint32_t operation _U___attribute__((unused)), tvbuff_t* extra_details_tvb _U___attribute__((unused)))
2418{
2419 proto_tree* network_event_tree;
2420 int offset = 0;
2421 uint16_t flags;
2422 int detail_length, detail_offset;
2423 uint8_t* detail_substring;
2424 wmem_strbuf_t* details = wmem_strbuf_new(pinfo->pool, "");
2425 static int* const network_flags_vals[] = {
2426 &hf_procmon_network_flags_is_src_ipv4,
2427 &hf_procmon_network_flags_is_dst_ipv4,
2428 &hf_procmon_network_flags_tcp_udp,
2429 NULL((void*)0)
2430 };
2431
2432 network_event_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_procmon_network_event, NULL((void*)0), "Network Data");
2433
2434 proto_tree_add_bitmask_with_flags(network_event_tree, tvb, offset, hf_procmon_network_flags, ett_procmon_network_flags, network_flags_vals, ENC_LITTLE_ENDIAN0x80000000, BMT_NO_APPEND0x01);
2435 flags = tvb_get_letohs(tvb, offset);
2436 offset += 2;
2437
2438 //Unknown fields
2439 offset += 2;
2440
2441 proto_tree_add_item(network_event_tree, hf_procmon_network_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2442 offset += 4;
2443 if (flags & NETWORK_FLAG_IS_SRC_IPv4_MASK0x0001)
2444 {
2445 proto_tree_add_item(network_event_tree, hf_procmon_network_src_ipv4, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2446 offset += 4;
2447 proto_tree_add_item(network_event_tree, hf_procmon_network_padding, tvb, offset, 12, ENC_NA0x00000000);
2448 offset += 12;
2449 }
2450 else
2451 {
2452 proto_tree_add_item(network_event_tree, hf_procmon_network_src_ipv6, tvb, offset, IPv6_ADDR_SIZE16, ENC_NA0x00000000);
2453 offset += IPv6_ADDR_SIZE16;
2454 }
2455 if (flags & NETWORK_FLAG_IS_DEST_IPv4_MASK0x0002)
2456 {
2457 proto_tree_add_item(network_event_tree, hf_procmon_network_dest_ipv4, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2458 offset += 4;
2459 proto_tree_add_item(network_event_tree, hf_procmon_network_padding, tvb, offset, 12, ENC_NA0x00000000);
2460 offset += 12;
2461 }
2462 else
2463 {
2464 proto_tree_add_item(network_event_tree, hf_procmon_network_dest_ipv6, tvb, offset, IPv6_ADDR_SIZE16, ENC_NA0x00000000);
2465 offset += IPv6_ADDR_SIZE16;
2466 }
2467 proto_tree_add_item(network_event_tree, hf_procmon_network_src_port, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
2468 offset += 2;
2469 proto_tree_add_item(network_event_tree, hf_procmon_network_dest_port, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
2470 offset += 2;
2471 detail_offset = offset;
2472 while (((detail_substring = tvb_get_stringz_enc(pinfo->pool, tvb, offset, &detail_length, ENC_UTF_160x00000004 | ENC_LITTLE_ENDIAN0x80000000)) != NULL((void*)0)) && (strlen(detail_substring) > 0))
2473 {
2474 wmem_strbuf_append_printf(details, " %s", detail_substring);
2475 offset += detail_length;
2476 }
2477 //Include the NULL string at the end of the list
2478 offset += 2;
2479 proto_tree_add_string(network_event_tree, hf_procmon_network_details, tvb, detail_offset, offset-detail_offset, wmem_strbuf_get_str(details));
2480
2481 return false0;
2482}
2483
2484static int
2485dissect_procmon_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U___attribute__((unused)))
2486{
2487 proto_item *ti, *ti_event, *ti_operation;
2488 proto_tree *procmon_tree, *header_tree, *stack_trace_tree;
2489 int offset = 0;
2490 int size_of_pointer;
2491 uint32_t event_class, operation;
2492 uint32_t stack_trace_size, details_size, extra_details_offset;
2493 nstime_t timestamp;
2494 uint16_t extra_details_size = 0;
2495 int hf_operation;
2496 const value_string* operation_vs = NULL((void*)0);
2497 bool_Bool handle_extra_details = false0;
2498 tvbuff_t *details_tvb, *extra_details_tvb;
2499
2500 col_set_str(pinfo->cinfo, COL_PROTOCOL, PSNAME"MS Procmon");
2501 col_clear(pinfo->cinfo, COL_INFO);
2502 col_set_str(pinfo->cinfo, COL_INFO, "MS Procmon Event");
2503
2504 ti = proto_tree_add_item(tree, proto_procmon, tvb, 0, -1, ENC_NA0x00000000);
2505 procmon_tree = proto_item_add_subtree(ti, ett_procmon);
2506
2507 header_tree = proto_tree_add_subtree(procmon_tree, tvb, offset, 52, ett_procmon_header, NULL((void*)0), "Event Header");
2508
2509 proto_tree_add_item(header_tree, hf_procmon_process_index, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2510 offset += 4;
2511 proto_tree_add_item(header_tree, hf_procmon_thread_id, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2512 offset += 4;
2513 ti_event = proto_tree_add_item_ret_uint(header_tree, hf_procmon_event_class, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &event_class);
2514 offset += 4;
2515
2516 switch (event_class)
2517 {
2518 case PROCMON_EVENT_CLASS_TYPE_PROCESS1:
2519 operation_vs = process_operation_vals;
2520 hf_operation = hf_procmon_process_operation;
2521 break;
2522 case PROCMON_EVENT_CLASS_TYPE_REGISTRY2:
2523 operation_vs = registry_operation_vals;
2524 hf_operation = hf_procmon_registry_operation;
2525 break;
2526 case PROCMON_EVENT_CLASS_TYPE_FILE_SYSTEM3:
2527 operation_vs = filesystem_operation_vals;
2528 hf_operation = hf_procmon_filesystem_operation;
2529 break;
2530 case PROCMON_EVENT_CLASS_TYPE_PROFILING4:
2531 operation_vs = profiling_operation_vals;
2532 hf_operation = hf_procmon_profiling_operation;
2533 break;
2534 case PROCMON_EVENT_CLASS_TYPE_NETWORK5:
2535 operation_vs = network_operation_vals;
2536 hf_operation = hf_procmon_network_operation;
2537 break;
2538 default:
2539 hf_operation = hf_procmon_operation_type;
2540 break;
2541 }
2542 ti_operation = proto_tree_add_item_ret_uint(header_tree, hf_operation, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &operation);
2543 offset += 2;
2544
2545 if (operation_vs != NULL((void*)0))
2546 {
2547 const char* event_class_str = val_to_str_const(event_class, event_class_vals, "Unknown");
2548 const char* operation_str = try_val_to_str(operation, operation_vs);
2549 if (operation_str == NULL((void*)0))
2550 {
2551 expert_add_info_format(pinfo, ti_operation, &ei_procmon_unknown_operation, "Unknown %s operation: 0x%04x", event_class_str, operation);
2552 col_add_fstr(pinfo->cinfo, COL_INFO, "%s Operation: Unknown (0x%04x)", event_class_str, operation);
2553 }
2554 else
2555 {
2556 col_add_fstr(pinfo->cinfo, COL_INFO, "%s Operation: %s", event_class_str, operation_str);
2557 }
2558 }
2559
2560 //Next 6 bytes are unknown
2561 offset += 6;
2562 proto_tree_add_item(header_tree, hf_procmon_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
2563 offset += 8;
2564 filetime_to_nstime(&timestamp, tvb_get_letoh64(tvb, offset));
2565 proto_tree_add_time(header_tree, hf_procmon_timestamp, tvb, offset, 8, &timestamp);
2566 offset += 8;
2567 proto_tree_add_item(header_tree, hf_procmon_event_result, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
2568 offset += 4;
2569 proto_tree_add_item(header_tree, hf_procmon_stack_trace_depth, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
2570 offset += 2;
2571 //Next 2 bytes are unknown
2572 offset += 2;
2573 proto_tree_add_item_ret_uint(header_tree, hf_procmon_details_size, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &details_size);
2574 offset += 4;
2575 proto_tree_add_item_ret_uint(header_tree, hf_procmon_extra_details_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &extra_details_offset);
2576 offset += 4;
2577
2578 //Stack trace size part of the record
2579 stack_trace_size = tvb_get_letohl(tvb, offset);
2580 offset += 4;
2581 if (stack_trace_size > 0)
2582 {
2583 stack_trace_tree = proto_tree_add_subtree(procmon_tree, tvb, offset, stack_trace_size, ett_procmon_stack_trace, NULL((void*)0), "Stack Trace");
2584 if (pinfo->pseudo_header->procmon.system_bitness)
2585 {
2586 size_of_pointer = 8;
2587 }
2588 else
2589 {
2590 size_of_pointer = 4;
2591 }
2592 for (uint32_t i = 0; i < stack_trace_size; i += size_of_pointer)
2593 {
2594 proto_tree_add_item(stack_trace_tree, hf_procmon_stack_trace_address, tvb, offset, size_of_pointer, ENC_LITTLE_ENDIAN0x80000000);
2595 offset += size_of_pointer;
2596 }
2597 }
2598
2599
2600 details_tvb = tvb_new_subset_length(tvb, offset, details_size);
2601 offset += details_size;
2602 if (extra_details_offset > 0)
2603 {
2604 extra_details_size = tvb_get_letohs(tvb, offset);
2605 offset += 2;
2606 }
2607
2608 extra_details_tvb = tvb_new_subset_length(tvb, offset, extra_details_size);
2609 switch(event_class)
2610 {
2611 case PROCMON_EVENT_CLASS_TYPE_PROCESS1:
2612 handle_extra_details = dissect_procmon_process_event(details_tvb, pinfo, procmon_tree, operation, extra_details_tvb);
2613 break;
2614 case PROCMON_EVENT_CLASS_TYPE_REGISTRY2:
2615 handle_extra_details = dissect_procmon_registry_event(details_tvb, pinfo, procmon_tree, operation, extra_details_tvb);
2616 break;
2617 case PROCMON_EVENT_CLASS_TYPE_FILE_SYSTEM3:
2618 handle_extra_details = dissect_procmon_filesystem_event(details_tvb, pinfo, procmon_tree, operation, extra_details_tvb);
2619 break;
2620 case PROCMON_EVENT_CLASS_TYPE_PROFILING4:
2621 handle_extra_details = dissect_procmon_profiling_event(details_tvb, pinfo, procmon_tree, operation, extra_details_tvb);
2622 break;
2623 case PROCMON_EVENT_CLASS_TYPE_NETWORK5:
2624 handle_extra_details = dissect_procmon_network_event(details_tvb, pinfo, procmon_tree, operation, extra_details_tvb);
2625 break;
2626 default:
2627 expert_add_info(pinfo, ti_event, &ei_procmon_unknown_event_class);
2628 proto_tree_add_item(procmon_tree, hf_procmon_detail_data, details_tvb, 0, details_size, ENC_NA0x00000000);
2629 break;
2630 }
2631
2632 if ((extra_details_size > 0) && (!handle_extra_details))
2633 {
2634 proto_tree_add_item(procmon_tree, hf_procmon_extra_detail_data, tvb, offset, extra_details_size, ENC_NA0x00000000);
2635 offset += extra_details_size;
2636 }
2637
2638 return offset;
2639}
2640
2641/*
2642 * Register the protocol with Wireshark.
2643 */
2644void
2645proto_register_procmon(void)
2646{
2647 static hf_register_info hf[] = {
2648 { &hf_procmon_process_index,
2649 { "Process Index", "procmon.process_index",
2650 FT_UINT32, BASE_DEC_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2651 },
2652 { &hf_procmon_thread_id,
2653 { "Thread ID", "procmon.thread_id",
2654 FT_UINT32, BASE_DEC_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2655 },
2656 { &hf_procmon_event_class,
2657 { "Event Class", "procmon.event_class",
2658 FT_UINT32, BASE_DEC, VALS(event_class_vals)((0 ? (const struct _value_string*)0 : ((event_class_vals)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0)}
2659 },
2660 { &hf_procmon_operation_type,
2661 { "Operation Type", "procmon.operation_type",
2662 FT_UINT16, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2663 },
2664 { &hf_procmon_duration,
2665 { "Duration", "procmon.duration",
2666 FT_UINT64, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2667 },
2668 { &hf_procmon_timestamp,
2669 { "Timestamp", "procmon.timestamp",
2670 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2671 },
2672 { &hf_procmon_event_result,
2673 { "Event Result", "procmon.event_result",
2674 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2675 },
2676 { &hf_procmon_stack_trace_depth,
2677 { "Stack Trace Depth", "procmon.stack_trace_depth",
2678 FT_UINT16, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2679 },
2680 { &hf_procmon_details_size,
2681 { "Details Size", "procmon.details_size",
2682 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2683 },
2684 { &hf_procmon_extra_details_offset,
2685 { "Extra Details Offset", "procmon.extra_details_offset",
2686 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2687 },
2688 { &hf_procmon_stack_trace_address,
2689 { "Stack trace address", "procmon.stack_trace_address",
2690 FT_UINT64, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2691 },
2692 { &hf_procmon_detail_data,
2693 { "Detail Data", "procmon.detail_data",
2694 FT_BYTES, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2695 },
2696 { &hf_procmon_extra_detail_data,
2697 { "Extra detail data", "procmon.extra_detail_data",
2698 FT_BYTES, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2699 },
2700 { &hf_procmon_process_operation,
2701 { "Operation Type", "procmon.process.operation_type",
2702 FT_UINT16, BASE_DEC, VALS(process_operation_vals)((0 ? (const struct _value_string*)0 : ((process_operation_vals
)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0)}
2703 },
2704 { &hf_procmon_process_pid,
2705 { "PID", "procmon.process.pid",
2706 FT_UINT32, BASE_DEC_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2707 },
2708 { &hf_procmon_process_path,
2709 { "Path", "procmon.process.path",
2710 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2711 },
2712 { &hf_procmon_process_path_size,
2713 { "Path Size", "procmon.process.path.size",
2714 FT_UINT16, BASE_DEC_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2715 },
2716 { &hf_procmon_process_path_is_ascii,
2717 { "Is ASCII", "procmon.process.path.is_ascii",
2718 FT_BOOLEAN, 16, NULL((void*)0), STRING_IS_ASCII_MASK0x8000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2719 },
2720 { &hf_procmon_process_path_char_count,
2721 { "Char Count", "procmon.process.path.char_count",
2722 FT_UINT16, BASE_DEC, NULL((void*)0), STRING_CHAR_COUNT_MASK0x7FFF, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2723 },
2724 { &hf_procmon_process_commandline,
2725 { "Commandline", "procmon.process.commandline",
2726 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2727 },
2728 { &hf_procmon_process_commandline_size,
2729 { "Commandline Size", "procmon.process.commandline.size",
2730 FT_UINT16, BASE_DEC_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2731 },
2732 { &hf_procmon_process_commandline_is_ascii,
2733 { "Is ASCII", "procmon.process.commandline.is_ascii",
2734 FT_BOOLEAN, 16, NULL((void*)0), STRING_IS_ASCII_MASK0x8000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2735 },
2736 { &hf_procmon_process_commandline_char_count,
2737 { "Char Count", "procmon.process.commandline.char_count",
2738 FT_UINT16, BASE_DEC, NULL((void*)0), STRING_CHAR_COUNT_MASK0x7FFF, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2739 },
2740 { &hf_procmon_process_exit_status,
2741 { "Exit Status", "procmon.process.exit_status",
2742 FT_UINT32, BASE_DEC_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2743 },
2744 { &hf_procmon_process_kernel_time,
2745 { "Kernel time", "procmon.process.kernel_time",
2746 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2747 },
2748 { &hf_procmon_process_user_time,
2749 { "User time", "procmon.process.user_time",
2750 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2751 },
2752 { &hf_procmon_process_working_set,
2753 { "Working Set", "procmon.process.working_set",
2754 FT_UINT64, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2755 },
2756 { &hf_procmon_process_peak_working_set,
2757 { "Peak Working Set", "procmon.process.peak_working_set",
2758 FT_UINT64, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2759 },
2760 { &hf_procmon_process_private_bytes,
2761 { "Private Bytes", "procmon.process.private_bytes",
2762 FT_UINT64, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2763 },
2764 { &hf_procmon_process_peak_private_bytes,
2765 { "Peak Private Bytes", "procmon.process.peak_private_bytes",
2766 FT_UINT64, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2767 },
2768 { &hf_procmon_process_thread_id,
2769 { "Thread ID", "procmon.process.thread_id",
2770 FT_UINT32, BASE_DEC_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2771 },
2772 { &hf_procmon_process_image_base,
2773 { "Image Base", "procmon.process.image_base",
2774 FT_UINT64, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2775 },
2776 { &hf_procmon_process_image_size,
2777 { "Image Size", "procmon.process.image_size",
2778 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2779 },
2780 { &hf_procmon_process_parent_pid,
2781 { "Parent PID", "procmon.process.parent_pid",
2782 FT_UINT32, BASE_DEC_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2783 },
2784 { &hf_procmon_process_curdir,
2785 { "Current Directory", "procmon.process.curdir",
2786 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2787 },
2788 { &hf_procmon_process_curdir_size,
2789 { "Current Directory Size", "procmon.process.curdir.size",
2790 FT_UINT16, BASE_DEC_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2791 },
2792 { &hf_procmon_process_curdir_is_ascii,
2793 { "Is ASCII", "procmon.process.curdir.is_ascii",
2794 FT_BOOLEAN, 16, NULL((void*)0), STRING_IS_ASCII_MASK0x8000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2795 },
2796 { &hf_procmon_process_curdir_char_count,
2797 { "Char Count", "procmon.process.curdir.char_count",
2798 FT_UINT16, BASE_DEC, NULL((void*)0), STRING_CHAR_COUNT_MASK0x7FFF, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2799 },
2800 { &hf_procmon_process_environment_char_count,
2801 { "Environment Size", "procmon.process.environment.char_count",
2802 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2803 },
2804 { &hf_procmon_process_environment,
2805 { "Environment", "procmon.process.environment",
2806 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2807 },
2808 { &hf_procmon_registry_operation,
2809 { "Operation Type", "procmon.registry.operation_type",
2810 FT_UINT16, BASE_DEC, VALS(registry_operation_vals)((0 ? (const struct _value_string*)0 : ((registry_operation_vals
)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2811 },
2812 { &hf_procmon_registry_desired_access,
2813 { "Desired Access", "procmon.registry.desired_access",
2814 FT_UINT32, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2815 },
2816 { &hf_procmon_registry_granted_access,
2817 { "Granted Access", "procmon.registry.granted_access",
2818 FT_UINT32, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2819 },
2820 { &hf_procmon_registry_disposition,
2821 { "Disposition", "procmon.registry.disposition",
2822 FT_UINT32, BASE_DEC, VALS(registry_disposition_vals)((0 ? (const struct _value_string*)0 : ((registry_disposition_vals
)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0)}
2823 },
2824 { &hf_procmon_registry_key,
2825 { "Key", "procmon.registry.key",
2826 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2827 },
2828 { &hf_procmon_registry_key_size,
2829 { "Key Size", "procmon.registry.key.size",
2830 FT_UINT16, BASE_DEC_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2831 },
2832 { &hf_procmon_registry_key_is_ascii,
2833 { "Is ASCII", "procmon.registry.key.is_ascii",
2834 FT_BOOLEAN, 16, NULL((void*)0), STRING_IS_ASCII_MASK0x8000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2835 },
2836 { &hf_procmon_registry_key_char_count,
2837 { "Char Count", "procmon.registry.key.char_count",
2838 FT_UINT16, BASE_DEC, NULL((void*)0), STRING_CHAR_COUNT_MASK0x7FFF, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2839 },
2840 { &hf_procmon_registry_new_key,
2841 { "New Key", "procmon.registry.new_key",
2842 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2843 },
2844 { &hf_procmon_registry_new_key_size,
2845 { "New Key Size", "procmon.registry.new_key.size",
2846 FT_UINT16, BASE_DEC_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2847 },
2848 { &hf_procmon_registry_new_key_is_ascii,
2849 { "Is ASCII", "procmon.registry.new_key.is_ascii",
2850 FT_BOOLEAN, 16, NULL((void*)0), STRING_IS_ASCII_MASK0x8000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2851 },
2852 { &hf_procmon_registry_new_key_char_count,
2853 { "Char Count", "procmon.registry.new_key.char_count",
2854 FT_UINT16, BASE_DEC, NULL((void*)0), STRING_CHAR_COUNT_MASK0x7FFF, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2855 },
2856 { &hf_procmon_registry_value,
2857 { "Value", "procmon.registry.value",
2858 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2859 },
2860 { &hf_procmon_registry_value_size,
2861 { "Value Size", "procmon.registry.value.size",
2862 FT_UINT16, BASE_DEC_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2863 },
2864 { &hf_procmon_registry_value_is_ascii,
2865 { "Is ASCII", "procmon.registry.value.is_ascii",
2866 FT_BOOLEAN, 16, NULL((void*)0), STRING_IS_ASCII_MASK0x8000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2867 },
2868 { &hf_procmon_registry_value_char_count,
2869 { "Char Count", "procmon.registry.value.char_count",
2870 FT_UINT16, BASE_DEC, NULL((void*)0), STRING_CHAR_COUNT_MASK0x7FFF, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2871 },
2872 { &hf_procmon_registry_length,
2873 { "Length", "procmon.registry.length",
2874 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2875 },
2876 { &hf_procmon_registry_key_information_class,
2877 { "Information Class", "procmon.registry.key.information_class",
2878 FT_UINT32, BASE_DEC, VALS(registry_key_information_class_vals)((0 ? (const struct _value_string*)0 : ((registry_key_information_class_vals
)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0)}
2879 },
2880 { &hf_procmon_registry_key_set_information_class,
2881 { "Information Class", "procmon.registry.key.set_information_class",
2882 FT_UINT32, BASE_DEC, VALS(registry_value_set_information_class_vals)((0 ? (const struct _value_string*)0 : ((registry_value_set_information_class_vals
)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0)}
2883 },
2884 { &hf_procmon_registry_value_information_class,
2885 { "Information Class", "procmon.registry.value.information_class",
2886 FT_UINT32, BASE_DEC, VALS(registry_value_information_class_vals)((0 ? (const struct _value_string*)0 : ((registry_value_information_class_vals
)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0)}
2887 },
2888 { &hf_procmon_registry_index,
2889 { "Index", "procmon.registry.index",
2890 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2891 },
2892 { &hf_procmon_registry_type,
2893 { "Type", "procmon.registry.type",
2894 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2895 },
2896 { &hf_procmon_registry_data_length,
2897 { "Data Length", "procmon.registry.data_length",
2898 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2899 },
2900 { &hf_procmon_registry_key_name_size,
2901 { "Name Size", "procmon.registry.key.name_size",
2902 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2903 },
2904 { &hf_procmon_registry_key_name,
2905 { "Name", "procmon.registry.key.name",
2906 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2907 },
2908 { &hf_procmon_registry_key_handle_tags,
2909 { "Handle Tags", "procmon.registry.key.handle_tags",
2910 FT_UINT32, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2911 },
2912 { &hf_procmon_registry_key_flags,
2913 { "Flags", "procmon.registry.key.flags",
2914 FT_UINT32, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2915 },
2916 { &hf_procmon_registry_key_last_write_time,
2917 { "Last Write Time", "procmon.registry.key.last_write_time",
2918 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2919 },
2920 { &hf_procmon_registry_key_title_index,
2921 { "Title Index", "procmon.registry.key.title_index",
2922 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2923 },
2924 { &hf_procmon_registry_key_subkeys,
2925 { "Subkeys", "procmon.registry.key.subkeys",
2926 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2927 },
2928 { &hf_procmon_registry_key_max_name_len,
2929 { "Max Name Length", "procmon.registry.key.max_name_len",
2930 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2931 },
2932 { &hf_procmon_registry_key_values,
2933 { "Values", "procmon.registry.key.values",
2934 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2935 },
2936 { &hf_procmon_registry_key_max_value_name_len,
2937 { "Max Value Name Length", "procmon.registry.key.max_value_name_len",
2938 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2939 },
2940 { &hf_procmon_registry_key_max_value_data_len,
2941 { "Max Value Data Length", "procmon.registry.key.max_value_data_len",
2942 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2943 },
2944 { &hf_procmon_registry_key_class_offset,
2945 { "Class Offset", "procmon.registry.key.class_offset",
2946 FT_UINT32, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2947 },
2948 { &hf_procmon_registry_key_class_length,
2949 { "Class Length", "procmon.registry.key.class_length",
2950 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2951 },
2952 { &hf_procmon_registry_key_max_class_len,
2953 { "Max Class Length", "procmon.registry.key.max_class_len",
2954 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2955 },
2956 { &hf_procmon_registry_value_reg_type,
2957 { "Registry Type", "procmon.registry.value.reg_type",
2958 FT_UINT32, BASE_DEC, VALS(registry_value_reg_type_vals)((0 ? (const struct _value_string*)0 : ((registry_value_reg_type_vals
)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0)}
2959 },
2960 { &hf_procmon_registry_value_offset_to_data,
2961 { "Offset to Data", "procmon.registry.value.offset_to_data",
2962 FT_UINT32, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2963 },
2964 { &hf_procmon_registry_value_length,
2965 { "Length", "procmon.registry.value.length",
2966 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2967 },
2968 { &hf_procmon_registry_value_name_size,
2969 { "Name Size", "procmon.registry.value.name_size",
2970 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2971 },
2972 { &hf_procmon_registry_value_name,
2973 { "Name", "procmon.registry.value.name",
2974 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2975 },
2976 { &hf_procmon_registry_value_dword,
2977 { "DWORD", "procmon.registry.value.dword",
2978 FT_UINT32, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2979 },
2980 { &hf_procmon_registry_value_qword,
2981 { "QWORD", "procmon.registry.value.qword",
2982 FT_UINT64, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2983 },
2984 { &hf_procmon_registry_value_sz,
2985 { "SZ", "procmon.registry.value.sz",
2986 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2987 },
2988 { &hf_procmon_registry_value_binary,
2989 { "Binary", "procmon.registry.value.binary",
2990 FT_BYTES, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2991 },
2992 { &hf_procmon_registry_value_multi_sz,
2993 { "MultiSZ", "procmon.registry.value.multi_sz",
2994 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2995 },
2996 { &hf_procmon_registry_key_set_information_write_time,
2997 { "Last Write Time", "procmon.registry.key.set_information.write_time",
2998 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
2999 },
3000 { &hf_procmon_registry_key_set_information_wow64_flags,
3001 { "WOW64 Flags", "procmon.registry.key.set_information.wow64_flags",
3002 FT_UINT32, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3003 },
3004 { &hf_procmon_registry_key_set_information_handle_tags,
3005 { "Handle Tags", "procmon.registry.key.set_information.handle_tags",
3006 FT_UINT32, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3007 },
3008 { &hf_procmon_filesystem_operation,
3009 { "Operation Type", "procmon.filesystem.operation_type",
3010 FT_UINT16, BASE_DEC, VALS(filesystem_operation_vals)((0 ? (const struct _value_string*)0 : ((filesystem_operation_vals
)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3011 },
3012 { &hf_procmon_filesystem_suboperation,
3013 { "Suboperation", "procmon.filesystem.suboperation",
3014 FT_UINT8, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3015 },
3016 { &hf_procmon_filesystem_padding,
3017 { "Padding", "procmon.filesystem.padding",
3018 FT_BYTES, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3019 },
3020 { &hf_procmon_filesystem_details,
3021 { "Details", "procmon.filesystem.details",
3022 FT_BYTES, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3023 },
3024 { &hf_procmon_filesystem_path,
3025 { "Path", "procmon.filesystem.path",
3026 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3027 },
3028 { &hf_procmon_filesystem_path_size,
3029 { "Path Size", "procmon.filesystem.path.size",
3030 FT_UINT16, BASE_DEC_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3031 },
3032 { &hf_procmon_filesystem_path_is_ascii,
3033 { "Is ASCII", "procmon.filesystem.path.is_ascii",
3034 FT_BOOLEAN, 16, NULL((void*)0), STRING_IS_ASCII_MASK0x8000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3035 },
3036 { &hf_procmon_filesystem_path_char_count,
3037 { "Char Count", "procmon.filesystem.path.char_count",
3038 FT_UINT16, BASE_DEC, NULL((void*)0), STRING_CHAR_COUNT_MASK0x7FFF, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3039 },
3040 { &hf_procmon_filesystem_create_file_access_mask,
3041 { "File Access Mask", "procmon.filesystem.create_file.access_mask",
3042 FT_UINT32, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3043 },
3044 { &hf_procmon_filesystem_create_file_impersonating_sid_length,
3045 { "Impersonating SID Length", "procmon.filesystem.create_file.impersonating_sid_length",
3046 FT_UINT8, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3047 },
3048 { &hf_procmon_filesystem_create_file_impersonating,
3049 { "Impersonating", "procmon.filesystem.create_file.impersonating",
3050 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3051 },
3052 { &hf_procmon_filesystem_create_file_disposition,
3053 { "Disposition", "procmon.filesystem.create_file.disposition",
3054 FT_UINT8, BASE_DEC, VALS(filesystem_disposition_vals)((0 ? (const struct _value_string*)0 : ((filesystem_disposition_vals
)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0)}
3055 },
3056 { &hf_procmon_filesystem_create_file_options,
3057 { "Options", "procmon.filesystem.create_file.options",
3058 FT_UINT24, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3059 },
3060 { &hf_procmon_filesystem_create_file_attributes,
3061 { "Attributes", "procmon.filesystem.create_file.attributes",
3062 FT_UINT16, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3063 },
3064 { &hf_procmon_filesystem_create_file_share_mode,
3065 { "Share Mode", "procmon.filesystem.create_file.share_mode",
3066 FT_UINT16, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3067 },
3068 { &hf_procmon_filesystem_create_file_allocation,
3069 { "Allocation", "procmon.filesystem.create_file.allocation",
3070 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3071 },
3072 { &hf_procmon_filesystem_create_file_sid_revision,
3073 { "Revision", "procmon.filesystem.create_file.sid.revision",
3074 FT_UINT8, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3075 },
3076 { &hf_procmon_filesystem_create_file_sid_count,
3077 { "Count", "procmon.filesystem.create_file.sid.count",
3078 FT_UINT8, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3079 },
3080 { &hf_procmon_filesystem_create_file_sid_authority,
3081 { "Authority", "procmon.filesystem.create_file.sid.authority",
3082 FT_UINT48, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3083 },
3084 { &hf_procmon_filesystem_create_file_sid_value,
3085 { "Value", "procmon.filesystem.create_file.sid.value",
3086 FT_UINT32, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3087 },
3088 { &hf_procmon_filesystem_create_file_open_result,
3089 { "Open Result", "procmon.filesystem.create_file.open_result",
3090 FT_UINT32, BASE_DEC, VALS(filesystem_open_result_vals)((0 ? (const struct _value_string*)0 : ((filesystem_open_result_vals
)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0)}
3091 },
3092 { &hf_procmon_filesystem_readwrite_file_io_flags,
3093 { "IO Flags", "procmon.filesystem.readwrite_file.io_flags",
3094 FT_UINT32, BASE_HEX, NULL((void*)0), 0x00EFFFFF, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3095 },
3096 { &hf_procmon_filesystem_readwrite_file_priority,
3097 { "Priority", "procmon.filesystem.readwrite_file.priority",
3098 FT_UINT32, BASE_HEX, VALS(filesystem_readwrite_priority_vals)((0 ? (const struct _value_string*)0 : ((filesystem_readwrite_priority_vals
)))), 0x00E00000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0)}
3099 },
3100 { &hf_procmon_filesystem_readwrite_file_length,
3101 { "Length", "procmon.filesystem.readwrite_file.length",
3102 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3103 },
3104 { &hf_procmon_filesystem_readwrite_file_offset,
3105 { "Offset", "procmon.filesystem.readwrite_file.file_offset",
3106 FT_INT64, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3107 },
3108 { &hf_procmon_filesystem_readwrite_file_result_length,
3109 { "Result Length", "procmon.filesystem.readwrite_file.result_length",
3110 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3111 },
3112 { &hf_procmon_filesystem_ioctl_write_length,
3113 { "Write Length", "procmon.filesystem.ioctl.write_length",
3114 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3115 },
3116 { &hf_procmon_filesystem_ioctl_read_length,
3117 { "Read Length", "procmon.filesystem.ioctl.read_length",
3118 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3119 },
3120 { &hf_procmon_filesystem_ioctl_ioctl,
3121 { "ioctl", "procmon.filesystem.ioctl.ioctl",
3122 FT_UINT32, BASE_DEC|BASE_EXT_STRING0x00000200, &ioctl_code_vals_ext, 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3123 },
3124 { &hf_procmon_filesystem_ioctl_offset,
3125 { "Offset", "procmon.filesystem.ioctl.offset",
3126 FT_INT64, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3127 },
3128 { &hf_procmon_filesystem_ioctl_length,
3129 { "Length", "procmon.filesystem.ioctl.length",
3130 FT_UINT64, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3131 },
3132 { &hf_procmon_filesystem_create_file_mapping_sync_type,
3133 { "Sync Type", "procmon.filesystem.create_file_mapping.sync_type",
3134 FT_UINT32, BASE_HEX, VALS(sync_type_vals)((0 ? (const struct _value_string*)0 : ((sync_type_vals)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3135 },
3136 { &hf_procmon_filesystem_create_file_mapping_page_protection,
3137 { "Page Protection", "procmon.filesystem.create_file_mapping.page_protection",
3138 FT_UINT32, BASE_HEX, VALS(page_protection_vals)((0 ? (const struct _value_string*)0 : ((page_protection_vals
)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3139 },
3140 { &hf_procmon_filesystem_directory,
3141 { "Directory", "procmon.filesystem.directory",
3142 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3143 },
3144 { &hf_procmon_filesystem_directory_size,
3145 { "Directory Size", "procmon.filesystem.directory.size",
3146 FT_UINT16, BASE_DEC_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3147 },
3148 { &hf_procmon_filesystem_directory_is_ascii,
3149 { "Is ASCII", "procmon.filesystem.directory.is_ascii",
3150 FT_BOOLEAN, 16, NULL((void*)0), STRING_IS_ASCII_MASK0x8000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3151 },
3152 { &hf_procmon_filesystem_directory_char_count,
3153 { "Char Count", "procmon.filesystem.directory.char_count",
3154 FT_UINT16, BASE_DEC, NULL((void*)0), STRING_CHAR_COUNT_MASK0x7FFF, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3155 },
3156 { &hf_procmon_filesystem_directory_control_file_information_class,
3157 { "File Information Class", "procmon.filesystem.directory_control.file_information_class",
3158 FT_UINT32, BASE_DEC, VALS(file_information_class_vals)((0 ? (const struct _value_string*)0 : ((file_information_class_vals
)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3159 },
3160 { &hf_procmon_filesystem_directory_control_notify_change_flags,
3161 { "Notify Change Flags", "procmon.filesystem.directory_control.notify_change_flags",
3162 FT_UINT32, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3163 },
3164 { &hf_procmon_filesystem_set_info_file_disposition_delete,
3165 { "Disposition Delete", "procmon.filesystem.set_info_file.disposition.delete",
3166 FT_UINT8, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3167 },
3168 { &hf_procmon_filesystem_directory_control_query_next_entry_offset,
3169 { "Next Entry Offset", "procmon.filesystem.directory_control.query.next_entry_offset",
3170 FT_UINT32, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3171 },
3172 { &hf_procmon_filesystem_directory_control_query_file_index,
3173 { "File Index", "procmon.filesystem.directory_control.query.file_index",
3174 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3175 },
3176 { &hf_procmon_filesystem_directory_control_query_name_length,
3177 { "Name Length", "procmon.filesystem.directory_control.query.name_length",
3178 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3179 },
3180 { &hf_procmon_filesystem_directory_control_query_name,
3181 { "Name", "procmon.filesystem.directory_control.query.name",
3182 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3183 },
3184 { &hf_procmon_filesystem_directory_control_query_creation_time,
3185 { "Creation Time", "procmon.filesystem.directory_control.query.creation_time",
3186 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3187 },
3188 { &hf_procmon_filesystem_directory_control_query_last_access_time,
3189 { "Last Access Time", "procmon.filesystem.directory_control.query.last_access_time",
3190 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3191 },
3192 { &hf_procmon_filesystem_directory_control_query_last_write_time,
3193 { "Last Write Time", "procmon.filesystem.directory_control.query.last_write_time",
3194 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3195 },
3196 { &hf_procmon_filesystem_directory_control_query_change_time,
3197 { "Change Time", "procmon.filesystem.directory_control.query.change_time",
3198 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3199 },
3200 { &hf_procmon_filesystem_directory_control_query_end_of_file,
3201 { "End of File", "procmon.filesystem.directory_control.query.end_of_file",
3202 FT_UINT64, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3203 },
3204 { &hf_procmon_filesystem_directory_control_query_allocation_size,
3205 { "Allocation Size", "procmon.filesystem.directory_control.query.allocation_size",
3206 FT_UINT64, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3207 },
3208 { &hf_procmon_filesystem_directory_control_query_file_attributes,
3209 { "File Attributes", "procmon.filesystem.directory_control.query.file_attributes",
3210 FT_UINT32, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3211 },
3212 { &hf_procmon_filesystem_directory_control_query_file_ea_size,
3213 { "EA Size", "procmon.filesystem.directory_control.query.ea_size",
3214 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3215 },
3216 { &hf_procmon_filesystem_directory_control_query_file_id,
3217 { "File ID", "procmon.filesystem.directory_control.query.file_id",
3218 FT_UINT64, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3219 },
3220 { &hf_procmon_filesystem_directory_control_query_short_name_length,
3221 { "Name Length", "procmon.filesystem.directory_control.query.short_name_length",
3222 FT_UINT16, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3223 },
3224 { &hf_procmon_filesystem_directory_control_query_short_name,
3225 { "Name", "procmon.filesystem.directory_control.short_name",
3226 FT_STRING, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3227 },
3228 { &hf_procmon_profiling_operation,
3229 { "Operation Type", "procmon.profiling.operation_type",
3230 FT_UINT16, BASE_DEC, VALS(profiling_operation_vals)((0 ? (const struct _value_string*)0 : ((profiling_operation_vals
)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3231 },
3232 { &hf_procmon_network_operation,
3233 { "Operation Type", "procmon.network.operation_type",
3234 FT_UINT16, BASE_DEC, VALS(network_operation_vals)((0 ? (const struct _value_string*)0 : ((network_operation_vals
)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3235 },
3236 { &hf_procmon_network_flags,
3237 { "Flags", "procmon.network.flags",
3238 FT_UINT16, BASE_HEX, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3239 },
3240 { &hf_procmon_network_flags_is_src_ipv4,
3241 { "Is Src IPv4", "procmon.network.flags.is_src_ipv4",
3242 FT_BOOLEAN, 16, NULL((void*)0), 0x0001, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3243 },
3244 { &hf_procmon_network_flags_is_dst_ipv4,
3245 { "Is Dest IPv4", "procmon.network.flags.is_dst_ipv4",
3246 FT_BOOLEAN, 16, NULL((void*)0), 0x0002, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3247 },
3248 { &hf_procmon_network_flags_tcp_udp,
3249 { "TCP/UDP", "procmon.network.flags.tcp_udp",
3250 FT_BOOLEAN, 16, TFS(&tfs_tcp_udp)((0 ? (const struct true_false_string*)0 : ((&tfs_tcp_udp
)))), 0x0004, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0)}
3251 },
3252 { &hf_procmon_network_length,
3253 { "Length", "procmon.network.length",
3254 FT_UINT32, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3255 },
3256 { &hf_procmon_network_src_ipv4,
3257 { "Src IP", "procmon.network.src_ipv4",
3258 FT_IPv4, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3259 },
3260 { &hf_procmon_network_src_ipv6,
3261 { "Src IP", "procmon.network.src_ipv6",
3262 FT_IPv6, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3263 },
3264 { &hf_procmon_network_dest_ipv4,
3265 { "Dest IP", "procmon.network.dest_ipv4",
3266 FT_IPv4, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3267 },
3268 { &hf_procmon_network_dest_ipv6,
3269 { "Dest IP", "procmon.network.dest_ipv6",
3270 FT_IPv6, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3271 },
3272 { &hf_procmon_network_src_port,
3273 { "Src Port", "procmon.network.src_port",
3274 FT_UINT16, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3275 },
3276 { &hf_procmon_network_dest_port,
3277 { "Dest Port", "procmon.network.dest_port",
3278 FT_UINT16, BASE_DEC, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3279 },
3280 { &hf_procmon_network_padding,
3281 { "Padding", "procmon.network.padding",
3282 FT_BYTES, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3283 },
3284 { &hf_procmon_network_details,
3285 { "Details", "procmon.network.details",
3286 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
3287 },
3288
3289 };
3290
3291 /* Setup protocol subtree array */
3292 static int *ett[] = {
3293 &ett_procmon,
3294 &ett_procmon_header,
3295 &ett_procmon_stack_trace,
3296 &ett_procmon_process_event,
3297 &ett_procmon_process_path,
3298 &ett_procmon_process_commandline,
3299 &ett_procmon_process_curdir,
3300 &ett_procmon_registry_event,
3301 &ett_procmon_registry_key,
3302 &ett_procmon_registry_new_key,
3303 &ett_procmon_registry_value,
3304 &ett_procmon_filesystem_event,
3305 &ett_procmon_filesystem_path,
3306 &ett_procmon_filesystem_create_file_impersonating,
3307 &ett_procmon_filesystem_directory,
3308 &ett_procmon_filesystem_information,
3309 &ett_procmon_profiling_event,
3310 &ett_procmon_network_event,
3311 &ett_procmon_network_flags,
3312 };
3313
3314 static ei_register_info ei[] = {
3315 { &ei_procmon_unknown_event_class, { "procmon.event_class.unknown", PI_UNDECODED0x05000000, PI_WARN0x00600000, "Unknown event class", EXPFILL0, ((void*)0), 0, ((void*)0), {0, {((void*)0), ((void*)0), FT_NONE
, BASE_NONE, ((void*)0), 0, ((void*)0), -1, 0, HF_REF_TYPE_NONE
, -1, ((void*)0)}} }},
3316 { &ei_procmon_unknown_operation, { "procmon.operation_type.unknown", PI_UNDECODED0x05000000, PI_WARN0x00600000, "Unknown event operation", EXPFILL0, ((void*)0), 0, ((void*)0), {0, {((void*)0), ((void*)0), FT_NONE
, BASE_NONE, ((void*)0), 0, ((void*)0), -1, 0, HF_REF_TYPE_NONE
, -1, ((void*)0)}} }},
3317 };
3318
3319 expert_module_t* expert_procmon;
3320
3321 /* Register the protocol name and description */
3322 proto_procmon = proto_register_protocol(PNAME"MS Procmon Event", PSNAME"MS Procmon", PFNAME"procmon");
3323
3324 /* Required function calls to register the header fields and subtrees */
3325 proto_register_field_array(proto_procmon, hf, array_length(hf)(sizeof (hf) / sizeof (hf)[0]));
3326 proto_register_subtree_array(ett, array_length(ett)(sizeof (ett) / sizeof (ett)[0]));
3327 expert_procmon = expert_register_protocol(proto_procmon);
3328 expert_register_field_array(expert_procmon, ei, array_length(ei)(sizeof (ei) / sizeof (ei)[0]));
3329
3330 procmon_handle = register_dissector("procmon", dissect_procmon_event, proto_procmon);
3331}
3332
3333void
3334proto_reg_handoff_procmon(void)
3335{
3336 int file_type_subtype_procmon;
3337
3338 file_type_subtype_procmon = wtap_name_to_file_type_subtype("procmon");
3339 if (file_type_subtype_procmon != -1)
3340 dissector_add_uint("wtap_fts_rec", file_type_subtype_procmon, procmon_handle);
3341}
3342
3343/*
3344 * Editor modelines - https://www.wireshark.org/tools/modelines.html
3345 *
3346 * Local variables:
3347 * c-basic-offset: 4
3348 * tab-width: 8
3349 * indent-tabs-mode: nil
3350 * End:
3351 *
3352 * vi: set shiftwidth=4 tabstop=8 expandtab:
3353 * :indentSize=4:tabSize=8:noTabs=true:
3354 */