Export (0) Print
Expand All

4.3 Receive Packed ROP Responses from the Server

The client has already established a Session Context with the server and has a valid session context handle. For more information, see section 4.1.

The client sends ROP commands to server by calling the EcDoRpcExt2 method, as described in section 3.1.4.2, by using the session context handle that is returned from the EcDoConnectEx method call, as described in section 3.1.4.1. The last ROP request contains the RopReadStream ROP ([MS-OXCROPS] section 2.2.9.2), so the client requests response chaining (for example, packing).

pcxh: Pointer to session context handle value, which is 0x00001234.

pulFlags: Pointer to unsigned long containing value 0x00000007. (Client requests that the server not compress or perform an XOR operation on the payload of the rgbOut and rgbAuxOut parameters. Client requests response chaining.)

rgbIn: Client passes extended buffer and payload containing ROP commands to be processed by server. For details about ROP commands, see [MS-OXCROPS].

RPC_HEADER_EXT

Payload

ROP request commands

Version

Flags

Size

SizeActual

RopSize

ROPs

SOHT

0x0000

0x0004

0x0152

0x0152

0x0142

320 bytes (last ROP command is RopReadStream)

16 bytes

(Payload is not compressed and not obfuscated.)

cbIn: 0x0000015A

rgbAuxIn: Null pointer value.

cbAuxIn: 0x000000

rgbOut: Pointer to buffer of size 0x00018008.

pcbOut: Pointer to unsigned long value 0x00018008.

rgbAuxOut: Pointer to buffer of size 0x1008.

pcbAuxOut: Pointer to unsigned long value 0x00001008.

The server processes the EcDoRpcExt2 method request. The server verifies that the session context handle is for a valid Session Context for this user. The server processes the ROP request commands and returns ROP response results to client. The last ROP was the RopReadStream ROP, and the client has requested chaining; there is more data to return in the stream being read, there is more room in the rgbOut parameter output buffer, and the server adds another extended buffer and payload. The server returns the following output values.

pcxh: Value at session context handle pointer is 0x00001234.

pulFlags: Value at unsigned long is 0x00000000.

rgbOut: Server returns two extended buffer header and payload pairs containing ROP response commands. The last payload contains only the RopReadStream ROP command.

RPC_HEADER_EXT

Payload

RPC_HEADER_EXT

Payload

Flags: 0x0000

Size: 0x7FFE

ROP response commands

Flags: 0x0004

Size: 0x2008

ROP response command

RopSize

0x7FEE

ROPs

SOHT

16 bytes

RopSize

0x1FF8

ROP

SOHT

16 bytes

(Payloads are not compressed and not obfuscated.)

pcbOut: 0x0000A016

rgbAuxOut: Server returns nothing in the auxiliary output buffer.

pcbAuxOut: 0x00000000

pulTransTime: Value at unsigned long pointer is 0x00000010. (The number of milliseconds it took the server to process the EcDoRpcExt2 method call.)

Return Value: 0x00000000

Show:
© 2016 Microsoft