Ronnie,
I've worked out a few more fields in create and close.
close looks like this:
struct smb2_close {
struct {
uint32_t unknown1;
uint32_t unknown2;
struct smb2_handle handle;
} in;
struct {
uint32_t unknown1;
uint32_t unknown2;
NTTIME create_time;
NTTIME access_time;
NTTIME write_time;
NTTIME change_time;
uint64_t alloc_size;
uint64_t size;
uint32_t file_attr;
} out;
};
I suspect the unknown2 in the reply is padding. I also suspect the 2nd
16 bits of unknown1 is padding in the reply, leaving just a 16 bit
'buffer format code' which says which of the following pieces of the
close are present.
For create, here is what I have so far:
struct smb2_create {
struct {
uint32_t unknown1; /* 0x09000039 */
uint32_t unknown2; /* 2 */
uint32_t unknown3[4];
uint32_t access_mask;
uint32_t file_attr;
uint32_t share_access;
uint32_t open_disposition;
uint32_t create_options;
/* ofs/len of name here, 16 bits */
uint32_t unknown6;
const char *fname;
uint32_t unknown7;
uint32_t unknown8;
uint32_t unknown9;
uint32_t unknown10;
uint64_t unknown11;
} in;
struct {
uint32_t unknown1;
uint32_t unknown2;
NTTIME create_time;
NTTIME access_time;
NTTIME write_time;
NTTIME change_time;
uint64_t alloc_size;
uint64_t size;
uint32_t file_attr;
uint32_t unknown3;
struct smb2_handle handle;
uint32_t unknown4;
} out;
};
so there are still a bunch of unknowns, but less than yesterday :-)
