SMB2/Ioctl

Opcode 0x0b

This SMB2 command is used to do Ioctl and Fcntl calls.

This command can transport several different types of Ioctl's, including acting as a transport for DCE/RPC.

SMB2/Ioctl Request

SMB2/Ioctl Request Packet Format

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Buffer Code          |               |               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          Ioctl Function                       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+-+-+-+-+                                               +-+-+-+-+
|                              FID                              |
+-+-+-+-+                                               +-+-+-+-+
|                                                               |
+-+-+-+-+                                               +-+-+-+-+
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                           In Offset                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                           In Length                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               |               |               |               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          Out Offset                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          Out Length                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          Max Out Length                       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               |               |               |               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               |               |               |               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

+-+-+-+-+...
| In buffer
+-+-+-+-+...

+-+-+-+-+...
| Out buffer
+-+-+-+-+...

Buffer Code

SMB2/BufferCode 0x39 = 0x38 | 0x01

Ioctl Function

This field describes what type of ioctl or fsctl is issued. See SMB2/Ioctl/Function

FID

SMB2/FID This i the object we want to send the ioctl to. For DCE/RPC based transactions this would be a named pipe but it could also be a regular file or the special fid ffffffff-ffffffff-ffffffff-ffffffff

Currently only the meaning of transactions for DCE/RPC on named pipes is known.

In Offset

Offset relative to the start of the SMB2 packet where the input buffer starts.

In Length

Length of the input buffer.

Out Offset

Offset relative to the start of the SMB2 packet where the output buffer starts.

Out Length

Length of the output buffer.

Max Out Length

This field denotes the maximum amount of data we are prepared to accept in the response. If this is too small for the response, the response will just be truncated but no NT_status will be set.

In Buffer

If present, this field carries the ioctl in payload sent to the server. For DCE/RPC transactions this would contain the DCE/RPC request.

Out Buffer

Present in the request but ignored by the server. This buffer carries the response data sent back from the server.

SMB2/Ioctl Response

SMB2/Ioctl Response Packet Format

If it executed successfully:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Buffer Code          |               |               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          Ioctl Function                       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+-+-+-+-+                                               +-+-+-+-+
|                              FID                              |
+-+-+-+-+                                               +-+-+-+-+
|                                                               |
+-+-+-+-+                                               +-+-+-+-+
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                           In Offset                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                           In Length                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                           Out Offset                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                           Out Length                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               |               |               |               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               |               |               |               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

+-+-+-+-+...
| In buffer
+-+-+-+-+...

+-+-+-+-+...
| Out buffer
+-+-+-+-+...



If there was an error:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Buffer Code          |               |               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               |               |               |               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Buffer Code

SMB2/BufferCode 0x31 = 0x30 | 0x01

Ioctl Function

This field describes what type of ioctl or fsctl is issued. See SMB2/Ioctl/Function

FID

SMB2/FID This i the object we sent the ioctl to. For DCE/RPC based transactions this would be a named pipe but it could also be a regular file or the special fid ffffffff-ffffffff-ffffffff-ffffffff

Currently only the meaning of transactions for DCE/RPC on named pipes is known.

In Offset

Offset relative to the start of the SMB2 packet where the input buffer starts.

In Length

Length of the input buffer.

Out Offset

Offset relative to the start of the SMB2 packet where the output buffer starts.

Out Length

Length of the output buffer.

In Buffer

If present, this field carries the ioctl in payload sent to the server. For DCE/RPC transactions this would contain the DCE/RPC request.

Out Buffer

Present in the request but ignored by the server. This buffer carries the response data sent back from the server.

NT Status Codes

Discussion

update this later now that we know this is ioctl:

There are other, non-dcerpc transactions as well. Some transactions start with the byte 0x03 in the out buffer seen for the magic fid ffffffff-ffffffff-ffffffff-ffffffff issued immediately after a share is mapped. Some transactions operating on plain files take no output buffer at all but return some sort of input data back.

In the request : Immediately followinf the MaxInSize seems to be a set of flags (uint64). This field has the first byte as 0x01 for all transactions i have seen , dce/rpc or non-dce/rpc.

The four bytes prior to the FID in the request seems to control what kind of transaction it is, I have seen the following pattern :

00.00.00.00 : no buffer content, status!=0 and error occured.

94.01.06.00 
c8.01.14.00 :  The two does not operate on a specific fid (fid==ffff-ffff-ffff... ) instead they operate on the tree or the entire server?
               the c8. version is common when the payload in the request contains strings looking like \PIPE\LANMAN
               the 94 version often contains payload of the type \<IPADDRESS>\sharename
               Could this be calls to check if a file exists on a share   or ashare exists on a server?

af.01.09.00 : these all operate on the fid for "" (the share itself?) and takes 8 bytes of output data.   Could this be IOCTL?

c0.00.09.00 : No data in the request,  it returns 64 bytes of data.  operates on both "" as well as normal files.

SMB2/Ioctl (last edited 2008-04-12 17:50:40 by localhost)