#!/usr/sbin/dtrace -s /* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2010 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ /* * Usage: ./msrpc.d -p `pgrep smbd` * * On multi-processor systems, it may be easier to follow the output * if run on a single processor: see psradm. For example, to disable * the second processor on a dual-processor system: psradm -f 1 * * This script can be used to trace NDR operations and MSRPC requests. * In order to put these operations in context, SMB session and tree * requests are also traced. * * Output formatting is as follows: * * UI 03 ... rpc_vers get 1@0 = 5 {05} * UI 03 ... rpc_vers_minor get 1@1 = 0 {00} * * U Marshalling flag (M=marshal, U=unmarshal) * I Direction flag (I=in, O=out) * ... Field name * get PDU operation (get or put) * 1@0 Bytes @ offset (i.e. 1 byte at offset 0) * {05} Value * * The value formatting is limited to 10 bytes, after which an ellipsis * will be inserted before the closing brace. If the value is 1 or 2 * bytes, an attempt will be made to present an ASCII value but this may * or may not be relevent. * * The following example shows the header from a bind response: * * trace:entry MO 03 ... rpc_vers put 1@0 = 5 {05} * trace:entry MO 03 ... rpc_vers_minor put 1@1 = 0 {00} * trace:entry MO 03 ... ptype put 1@2 = 12 {0c} * trace:entry MO 03 ... pfc_flags put 1@3 = 3 {03} * trace:entry MO 04 .... intg_char_rep put 1@4 = 16 {10} * trace:entry MO 04 .... float_rep put 1@5 = 0 {00} * trace:entry MO 04 .... _spare[0] put 1@6 = 0 {00} * trace:entry MO 04 .... _spare[1] put 1@7 = 0 {00} * trace:entry MO 03 ... frag_length put 2@8 = 68 {44 00} D * trace:entry MO 03 ... auth_length put 2@10 = 0 {00 00} * trace:entry MO 03 ... call_id put 4@12 = 1 {01 00 00 00} * trace:entry MO 02 .. max_xmit_frag put 2@16 = 4280 {b8 10} * trace:entry MO 02 .. max_recv_frag put 2@18 = 4280 {b8 10} * trace:entry MO 02 .. assoc_group_id put 4@20 = 1192620711 {a7 f2 15 47} * trace:entry MO 02 .. sec_addr.length put 2@24 = 12 {0c 00} * trace:entry MO 02 .. sec_addr.port_spec[0] put 1@26 = 92 {5c} \ * trace:entry MO 02 .. sec_addr.port_spec[1] put 1@27 = 80 {50} P * trace:entry MO 02 .. sec_addr.port_spec[2] put 1@28 = 73 {49} I * trace:entry MO 02 .. sec_addr.port_spec[3] put 1@29 = 80 {50} P * trace:entry MO 02 .. sec_addr.port_spec[4] put 1@30 = 69 {45} E * trace:entry MO 02 .. sec_addr.port_spec[5] put 1@31 = 92 {5c} \ * trace:entry MO 02 .. sec_addr.port_spec[6] put 1@32 = 108 {6c} l * trace:entry MO 02 .. sec_addr.port_spec[7] put 1@33 = 115 {73} s * trace:entry MO 02 .. sec_addr.port_spec[8] put 1@34 = 97 {61} a * trace:entry MO 02 .. sec_addr.port_spec[9] put 1@35 = 115 {73} s * trace:entry MO 02 .. sec_addr.port_spec[10] put 1@36 = 115 {73} s * trace:entry MO 02 .. sec_addr.port_spec[11] put 1@37 = 0 {00} */ BEGIN { printf("MSRPC Trace Started"); printf("\n\n"); } END { printf("MSRPC Trace Ended"); printf("\n\n"); } /* * SmbSessionSetupX, SmbLogoffX * SmbTreeConnect, SmbTreeDisconnect */ smb_tree*:entry, smb_com_*:entry, smb_com_*:return, smb_com_session_setup_andx:entry, smb_com_logoff_andx:entry, smb_tree_connect:return, smb_tree_disconnect:entry, smb_tree_disconnect:return, smb_opipe_open:entry, smb_opipe_door_call:entry, smb_opipe_door_upcall:entry, door_ki_upcall:entry { } smb_com_session_setup_andx:return, smb_user*:return, smb_tree*:return, smb_opipe_open:return, smb_opipe_door_call:return, smb_opipe_door_upcall:return, door_ki_upcall:return { printf("rc=0x%08x", arg1); } sdt:smbsrv::smb-sessionsetup-clntinfo { user_info = (smb_logon_t *)arg0; printf("domain\\username=%s\\%s\n\n", stringof(user_info->lg_domain), stringof(user_info->lg_username)); } smb_tree_connect:entry { sr = (smb_request_t *)arg0; printf("share=%s service=%s", stringof(sr->arg.tcon.path), stringof(sr->arg.tcon.service)); } smb_com_logoff_andx:return { } /* * Raise error functions (no return). */ smbsr_error:entry { printf("status=0x%08x class=%d, code=%d", arg1, arg2, arg3); } smbsr_errno:entry { printf("errno=%d", arg1); } smbsr_error:return, smbsr_errno:return { } /* * MSRPC activity. */ pid$target::ndr_svc_bind:entry, pid$target::ndr_svc_bind:return, pid$target::ndr_svc_request:entry, pid$target::ndr_svc_request:return { } pid$target::smb_trace:entry, pid$target::ndo_trace:entry { printf("%s", copyinstr(arg0)); } /* * LSARPC */ pid$target::lsarpc_s_CloseHandle:entry, pid$target::lsarpc_s_QuerySecurityObject:entry, pid$target::lsarpc_s_EnumAccounts:entry, pid$target::lsarpc_s_EnumTrustedDomain:entry, pid$target::lsarpc_s_OpenAccount:entry, pid$target::lsarpc_s_EnumPrivsAccount:entry, pid$target::lsarpc_s_LookupPrivValue:entry, pid$target::lsarpc_s_LookupPrivName:entry, pid$target::lsarpc_s_LookupPrivDisplayName:entry, pid$target::lsarpc_s_QueryInfoPolicy:entry, pid$target::lsarpc_s_OpenDomainHandle:entry, pid$target::lsarpc_s_OpenDomainHandle:entry, pid$target::lsarpc_s_LookupSids:entry, pid$target::lsarpc_s_LookupNames:entry, pid$target::lsarpc_s_GetConnectedUser:entry, pid$target::lsarpc_s_LookupSids2:entry, pid$target::lsarpc_s_LookupNames2:entry { } pid$target::lsarpc_s_CloseHandle:return, pid$target::lsarpc_s_QuerySecurityObject:return, pid$target::lsarpc_s_EnumAccounts:return, pid$target::lsarpc_s_EnumTrustedDomain:return, pid$target::lsarpc_s_OpenAccount:return, pid$target::lsarpc_s_EnumPrivsAccount:return, pid$target::lsarpc_s_LookupPrivValue:return, pid$target::lsarpc_s_LookupPrivName:return, pid$target::lsarpc_s_LookupPrivDisplayName:return, pid$target::lsarpc_s_QueryInfoPolicy:return, pid$target::lsarpc_s_OpenDomainHandle:return, pid$target::lsarpc_s_OpenDomainHandle:return, pid$target::lsarpc_s_LookupSids:return, pid$target::lsarpc_s_LookupNames:return, pid$target::lsarpc_s_GetConnectedUser:return, pid$target::lsarpc_s_LookupSids2:return, pid$target::lsarpc_s_LookupNames2:return { } pid$target::lsar_lookup_names:entry { printf("%s", copyinstr(arg1)); } pid$target::lsar_lookup_*:entry { } pid$target::lsar_lookup_*:return { printf("0x%08x", arg1); } pid$target::lsar_*:entry { } pid$target::lsar_*:return { printf("0x%08x", arg1); } /* * NetLogon */ pid$target::netr_*:entry { } pid$target::netr_*:return { printf("0x%08x", arg1); } /* * SAMR */ pid$target::samr_s_ConnectAnon:entry, pid$target::samr_s_CloseHandle:entry, pid$target::samr_s_LookupDomain:entry, pid$target::samr_s_EnumLocalDomains:entry, pid$target::samr_s_OpenDomain:entry, pid$target::samr_s_QueryDomainInfo:entry, pid$target::samr_s_QueryInfoDomain2:entry, pid$target::samr_s_LookupNames:entry, pid$target::samr_s_OpenUser:entry, pid$target::samr_s_DeleteUser:entry, pid$target::samr_s_QueryUserInfo:entry, pid$target::samr_s_QueryUserGroups:entry, pid$target::samr_s_OpenGroup:entry, pid$target::samr_s_Connect:entry, pid$target::samr_s_GetUserPwInfo:entry, pid$target::samr_s_CreateUser:entry, pid$target::samr_s_ChangeUserPasswd:entry, pid$target::samr_s_GetDomainPwInfo:entry, pid$target::samr_s_SetUserInfo:entry, pid$target::samr_s_Connect3:entry, pid$target::samr_s_Connect4:entry, pid$target::samr_s_QueryDispInfo:entry, pid$target::samr_s_OpenAlias:entry, pid$target::samr_s_CreateDomainAlias:entry, pid$target::samr_s_SetAliasInfo:entry, pid$target::samr_s_QueryAliasInfo:entry, pid$target::samr_s_DeleteDomainAlias:entry, pid$target::samr_s_EnumDomainAliases:entry, pid$target::samr_s_EnumDomainGroups:entry { } pid$target::samr_s_ConnectAnon:return, pid$target::samr_s_CloseHandle:return, pid$target::samr_s_LookupDomain:return, pid$target::samr_s_EnumLocalDomains:return, pid$target::samr_s_OpenDomain:return, pid$target::samr_s_QueryDomainInfo:return, pid$target::samr_s_QueryInfoDomain2:return, pid$target::samr_s_LookupNames:return, pid$target::samr_s_OpenUser:return, pid$target::samr_s_DeleteUser:return, pid$target::samr_s_QueryUserInfo:return, pid$target::samr_s_QueryUserGroups:return, pid$target::samr_s_OpenGroup:return, pid$target::samr_s_Connect:return, pid$target::samr_s_GetUserPwInfo:return, pid$target::samr_s_CreateUser:return, pid$target::samr_s_ChangeUserPasswd:return, pid$target::samr_s_GetDomainPwInfo:return, pid$target::samr_s_SetUserInfo:return, pid$target::samr_s_Connect3:return, pid$target::samr_s_Connect4:return, pid$target::samr_s_QueryDispInfo:return, pid$target::samr_s_OpenAlias:return, pid$target::samr_s_CreateDomainAlias:return, pid$target::samr_s_SetAliasInfo:return, pid$target::samr_s_QueryAliasInfo:return, pid$target::samr_s_DeleteDomainAlias:return, pid$target::samr_s_EnumDomainAliases:return, pid$target::samr_s_EnumDomainGroups:return { } /* * SVCCTL */ pid$target::svcctl_s_*:entry, pid$target::svcctl_s_*:return { } /* * SRVSVC */ pid$target::srvsvc_s_NetConnectEnum:entry, pid$target::srvsvc_s_NetFileEnum:entry, pid$target::srvsvc_s_NetFileClose:entry, pid$target::srvsvc_s_NetShareGetInfo:entry, pid$target::srvsvc_s_NetShareSetInfo:entry, pid$target::srvsvc_s_NetSessionEnum:entry, pid$target::srvsvc_s_NetSessionDel:entry, pid$target::srvsvc_s_NetServerGetInfo:entry, pid$target::srvsvc_s_NetRemoteTOD:entry, pid$target::srvsvc_s_NetNameValidate:entry, pid$target::srvsvc_s_NetShareAdd:entry, pid$target::srvsvc_s_NetShareDel:entry, pid$target::srvsvc_s_NetShareEnum:entry, pid$target::srvsvc_s_NetShareEnumSticky:entry, pid$target::srvsvc_s_NetGetFileSecurity:entry, pid$target::srvsvc_s_NetSetFileSecurity:entry { } pid$target::srvsvc_s_NetConnectEnum:return, pid$target::srvsvc_s_NetFileEnum:return, pid$target::srvsvc_s_NetFileClose:return, pid$target::srvsvc_s_NetShareGetInfo:return, pid$target::srvsvc_s_NetShareSetInfo:return, pid$target::srvsvc_s_NetSessionEnum:return, pid$target::srvsvc_s_NetSessionDel:return, pid$target::srvsvc_s_NetServerGetInfo:return, pid$target::srvsvc_s_NetRemoteTOD:return, pid$target::srvsvc_s_NetNameValidate:return, pid$target::srvsvc_s_NetShareAdd:return, pid$target::srvsvc_s_NetShareDel:return, pid$target::srvsvc_s_NetShareEnum:return, pid$target::srvsvc_s_NetShareEnumSticky:return, pid$target::srvsvc_s_NetGetFileSecurity:return, pid$target::srvsvc_s_NetSetFileSecurity:return { } /* * WinReg */ pid$target::winreg_s_*:entry, pid$target::winreg_s_*:return { } /* * Workstation */ pid$target::wkssvc_s_*:entry, pid$target::wkssvc_s_*:return { } /* * SMBRDR */ pid$target::smbrdr_tree_connect:entry { printf("%s %s %s", copyinstr(arg0), copyinstr(arg1), copyinstr(arg2)); } pid$target::smbrdr_open_pipe:entry { printf("%s %s %s %s", copyinstr(arg0), copyinstr(arg1), copyinstr(arg2), copyinstr(arg3)); } pid$target::smbrdr_tree_disconnect:entry, pid$target::smbrdr_close_pipe:entry, pid$target::smbrdr_ntcreatex:entry, pid$target::smbrdr_transact:entry, pid$target::smbrdr_readx*:entry { } pid$target::smbrdr_tree_connect:return, pid$target::smbrdr_tree_disconnect:return, pid$target::smbrdr_open_pipe:return, pid$target::smbrdr_close_pipe:return, pid$target::smbrdr_ntcreatex:return, pid$target::smbrdr_transact:return, pid$target::smbrdr_readx*:return { printf("%d", arg1); } pid$target::ndr_clnt_get_frags:entry, pid$target::ndr_clnt_get_frag:entry { } pid$target::ndr_clnt_get_frags:return, pid$target::ndr_clnt_get_frag:return { printf("%d", arg1); }