nt-part2_27
Analysis of the Security of Windows NT
1 March 1999
27
In the NT environment, an SMB is carried on top of a NetBIOS over TCP/IP (NBT)
session, including UDP as a carrier for NetBIOS as well. A Server Message has a
structure as described in Figure 6. For a pseudo-C description, see appendix C.
FIGURE 6. The structure of an SMB
The protocol field contains the identifier 0xFF, SMB.
The Status field contains the error codes if the request was not successful. Two types of
error responses are supported. A DOS error type with error classes and error codes and
a 32-bit error code.
The flags and flags2 fields contain flags for different options such as the use of security
signatures and long filenames, see appendix C for more details.
The Pad or Extra field contains the signature if SMB signing is used otherwise it will
contain a padding field.
The identifiers field contains four types of identifiers: the tree identifier Tid, the pro-
cess identifier Pid, the user identifier Uid and a multiplex identifier Mid. The Tid is
used to identify the mounted share in case the user has more shares mounted on the
same session. It also acts as the root of the mounted share so every request is relative to
the Tid. The Tid is set by the server in reply to a C TreeConnect request. The Pid is
used to decide which process, thread or task that opened a file or requested a lock. It is
set by the Client. The Uid identifies the user to the server see section 5.4.3. Finally, the
Mid is used to multiplex multiple outstanding requests on one session.
The parameter field contains a word count and a number of parameter words. The
word count tells how many parameter words that follows. The number and types of
parameters differs among the different commands, see [31] for more details.
Finally, the data field. It consists of a byte count and a buffer. The byte count tells how
many byte of data that is present in the buffer and the buffer contains the actual data e.g
records read from a file.
The SMB protocol has the ability to group together commands. This is called AndX
batching. In this case, only the parameter and data fields from the batched command is
added after the first command. AndX batching is permitted as long as the size of the
SMB package does not exceed the negotiated size and all commands have to refer to
the same identifiers.
Protocol
Status
Flags Flags2 Pad or Extra
Tid
Pid
Uid
Mid
Idenifiers
Parameters
Data
WordCount ParameterWords
ByteCount
Buffer