2.2.4.43.1 Request

 SMB_Parameters
   {
   UCHAR  WordCount;
   Words
     {
     UCHAR  AndXCommand;
     UCHAR  AndXReserved;
     USHORT AndXOffset;
     USHORT FID;
     ULONG  Offset;
     ULONG  Timeout;
     USHORT WriteMode;
     USHORT Remaining;
     USHORT Reserved;
     USHORT DataLength;
     USHORT DataOffset;
     ULONG  OffsetHigh (optional);
     }
   }
 SMB_Data
   {
   USHORT ByteCount;
   Bytes
     {
     UCHAR Pad;
     UCHAR Data[DataLength];
     }
   }
            


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

SMB_Parameters (variable)

...

SMB_Data (variable)

...

SMB_Parameters (variable):


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

WordCount

Words (variable)

...

WordCount (1 byte): This field MUST be either 0x0C or 0x0E.

Words (variable):


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

AndXCommand

AndXReserved

AndXOffset

FID

Offset

...

Timeout

...

WriteMode

Remaining

Reserved

DataLength

DataOffset

OffsetHigh

AndXCommand (1 byte): The command code for the next SMB command in the packet. This value MUST be set to 0xFF if there are no additional SMB commands in the client request packet.

AndXReserved (1 byte): A reserved field. This MUST be set to 0x00 when this request is sent, and the server MUST ignore this value when the message is received.

AndXOffset (2 bytes): This field MUST be set to the offset in bytes from the start of the SMB Header (section 2.2.3.1) to the start of the WordCount field in the next SMB command in this packet. This field is valid only if the AndXCommand field is not set to 0xFF. If AndXCommand is 0xFF, this field MUST be ignored by the server.

FID (2 bytes): This field MUST be a valid FID indicating the file to which the data SHOULD be written.

Offset (4 bytes): If WordCount is 0x0C, this field represents a 32-bit offset, measured in bytes, of where the write SHOULD start relative to the beginning of the file. If WordCount is 0xE, this field represents the lower 32 bits of a 64-bit offset.

Timeout (4 bytes): This field is the time-out, in milliseconds, to wait for the write to complete. This field is used only when writing to a named pipe or an I/O device. It does not apply and MUST be 0x00000000 when writing to a regular file.

WriteMode (2 bytes): A 16-bit field containing flags defined as follows:

Name and bitmask

Meaning

WritethroughMode

0x0001

If set the server MUST NOT respond to the client before the data is written to disk (write-through).

ReadBytesAvailable

0x0002

If set the server SHOULD set the Response.SMB_Parameters.Available field correctly for writes to named pipes or I/O devices.

RAW_MODE

0x0004

Applicable to named pipes only. If set, the named pipe MUST be written to in raw mode (no translation).

MSG_START

0x0008

Applicable to named pipes only. If set, this data is the start of a message.

Remaining (2 bytes): This field is an advisory field telling the server approximately how many bytes are to be written to this file before the next non-write operation. It SHOULD include the number of bytes to be written by this request. The server MAY either ignore this field or use it to perform optimizations. If a pipe write spans multiple requests, the client SHOULD set this field to the number of bytes remaining to be written.<61>

Reserved (2 bytes): This field MUST be 0x0000.

DataLength (2 bytes): This field is the number of bytes included in the SMB_Data that are to be written to the file.

DataOffset (2 bytes): The offset in bytes from the start of the SMB Header (section 2.2.3.1) to the start of the data that is to be written to the file. The offset is relative to the start of the SMB Header (section 2.2.3.1), regardless of the command request's position in an AndX chain. Specifying this offset allows a client to efficiently align the data buffer.

The DataOffset field can be used to relocate the SMB_Data.Bytes.Data block to the end of the message, even if the message is a multi-part AndX chain. If the SMB_Data.Bytes.Data block is relocated, the contents of SMB_Data.Bytes will not be contiguous.

Consider, for example, an SMB_COM_WRITE_ANDX + SMB_COM_CLOSE AndX chain. The client can specify a value for SMB_Parameters.Words.DataOffset that relocates the SMB_Data.Bytes.Data block to the end of the message, beyond the SMB_COM_CLOSE, even though the Data block is part of the SMB_COM_WRITE_ANDX request.  In this case, the message would be structured as follows:

  • The SMB Header (section 2.2.3.1), with a command code of SMB_COM_WRITE_ANDX.

  • The complete SMB_Parameters block of the SMB_COM_WRITE_ANDX.

  • The SMB_Data block of the SMB_COM_WRITE_ANDX:

  • The value of SMB_Data.ByteCount is equal to 1 + SMB_Parameters.Words.DataLength. The additional 1 byte is to account for the SMB_Data.Bytes.Pad byte.

  • The SMB_Data.Bytes.Pad byte.

  • The SMB_Data.Bytes.Data block is not included because it has been relocated.

  • The SMB_Parameters block of the SMB_COM_CLOSE follows immediately after the SMB_Data.Bytes.Pad byte of the SMB_COM_WRITE_ANDX. The location of the SMB_Parameters block of the SMB_COM_CLOSE, relative to the start of the SMB Header (section 2.2.3.1), is specified by the offset given in the SMB_Parameters.AndXOffset field of the SMB_COM_WRITE_ANDX portion of the message.

  • The SMB_Data block of the SMB_COM_CLOSE (consisting of a ByteCount of 0x0000).

  • Optional padding follows the SMB_Data block of the SMB_COM_CLOSE. If present, the padding is used to align the SMB_Data.Bytes.Data block to a 16- or 32-bit boundary.

  • The SMB_Data.Bytes.Data block, which is SMB_Parameters.Words.DataLength bytes in length. The location of the SMB_Data.Bytes.Data block within the message, relative to the start of the SMB Header (section 2.2.3.1), is indicated by the SMB_Parameters.Words.DataOffset field in the SMB_COM_WRITE_ANDX portion of the request.

    OffsetHigh (4 bytes): This field is optional. If WordCount is 0x0C, this field is not included in the request. If WordCount is 0x0E, this field represents the upper 32 bits of a 64-bit offset, measured in bytes, of where the write SHOULD start relative to the beginning of the file.

SMB_Data (variable):


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

ByteCount

Bytes (variable)

...

ByteCount (2 bytes): This field MUST be greater than or equal to 0x0001.

Bytes (variable):


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Pad

Data (variable)

...

Pad (1 byte): Padding byte that MUST be ignored.

Data (variable): The bytes to be written to the file.

Show: