Binary Policies

This is a capture of the network payload of a full delivery of policies from the Device Control server persisted in a file. For optimization of delta delivery, the server packages groups of objects in chunks and compress them using G-Zip. A signature of the whole list of chunks is added at the end of the payload. The policy file doesn't contain the initial 4 bytes containing the size of all chunks.

FILE

Offset	Length	Type	Name	Description
0	4	unsigned int	chunks size	size of all chunks (3 next lines, without signature)
4	8	unsigned int	chunk size	size of this chunk
8	var1	HEADER	header	header structure of an LES policy file (.dat)
8+var1	var2	buffer	payload	group of METADATA (serialized / gzipped)
total-256	256	buffer	signature	RSA signature with 2048 bits keys

HEADER

Offset	Length	Type	Name	Description
0	1	unsigned char	opcode	opReply = 200
1	1	unsigned char	reserved	must be set to zero
2	1	unsigned char	nQ	number of reQuest watermarks
3	1	unsigned char	nR	number of Response watermarks
4	4	unsigned int	flags	flgGzipped = 1
8	8	unsigned int 64	timestamp	FILETIME stored on an unsigned int 64
16	24*(nQ+nR)	WATERMARK	watermark	identify source and incremental number

WATERMARK

Offset	Length	Type	Name	Description
0	16	guid	srvid	policy source unique identifier
16	8	unsigned int 64	usn	incremented version number

METADATA

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	identifies the class unique identifier
20	16	guid	oid	identifies the instance unique identifier
36	size - 32	buffer	n/a	depends on the class instance identifier

METADATA - Device

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0xE24EB313, 0x0718, 0x4D27, 0xB2, 0x1A, 0xC8, 0xF5, 0x26, 0x6B, 0xEE, 0x99}
20	16	guid	oid	identifies the instance unique identifier
36	4	unsigned int	devid	Device identity, model and instance in (30000, 60000) range
40	4	unsigned int	classid	Device class identity (removable, cd, floppy, and so on)
44	4+2*len(name)	unsigned int + wchar_t[]	name	Display name
48+…	4	unsigned int	enable	0: disabled, 1: enabled, 2: unmanaged (?)
52+…	4	unsigned int	capabilities	Capability flags
56+…	4	unsigned int	parent	Device parent identity

METADATA - Device Identity

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0x00F9524A, 0xA7FB, 0x414F, 0x89, 0xCF, 0xF9, 0x7F, 0x63, 0x52, 0x8B, 0x03}
20	16	guid	oid	identifies the instance unique identifier
36	4	unsigned int	enforcer
40	4	unsigned int	detection
44	16	guid	iface
60	16	guid	class
76	4	unsigned int	bus
80	4	unsigned int	checkdev
84	4	unsigned int	chars
88	4	unsigned int	exclchars
92	4	unsigned int	nttype
96	4	unsigned int	xnttype
100	4+2*len(driver)	unsigned int + wchar_t[]	driver
104+…	4+2*len(device)	unsigned int + wchar_t[]	device
108+…	4+2*len(hwid)	unsigned int + wchar_t[]	hwid
112+…	4	unsigned int	devid	References Device::devid

METADATA - Workstation Group

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0x205D2690, 0x9544, 0x414E, 0xAF, 0xB4, 0x92, 0xE5, 0x7B, 0xC3, 0xFB, 0x8C}
20	16	guid	oid	identifies the instance unique identifier
36	4	unsigned int	grpid	Workstation group identifier
40	4+2*len(wksname)	unsigned int + wchar_t[]	wksname	Workstation name

METADATA - Device Permission (u2dev)

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0xB7CF2629, 0xB175, 0x4B74, 0xBB, 0x47, 0x70, 0x98, 0xD3, 0x3B, 0xC0, 0xFD}
20	16	guid	oid	identifies the instance unique identifier
36	4	unsigned int	userid	User identifier
40	80	unsigned char[80]	sid	User SID
120	4	unsigned int	devid	References Device::devid
124	4	unsigned int	rights	Right flags
128	4	unsigned int	sectype	Type flags
132	16	guid	task	References Task::oid
148	4	unsigned int	groupid	References Workstation Group::grpid
152	4+2*len(wksname)	unsigned int + wchar_t[]	wksname	Workstation name

METADATA - Task

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0xBC4F851C, 0x3877, 0x4300, 0xB1, 0x64, 0x64, 0x04, 0x14, 0xAE, 0xC7, 0x7B}
20	16	guid	oid	identifies the instance unique identifier
36	8	unsigned int 64	begindt	Beginning of the task
44	8	unsigned int 64	enddt	Expired date
52	8	unsigned int 64	begintm	Time (0h0m0c..23h59m59c) when rights applied in the day
60	8	unsigned int 64	endtm	Time (0h0m0c..23h59m59c) when rights removed in the day
68	4	unsigned int	weekday	Week day flags: Su: 1, Mn: 2, Tu: 4, We: 8, Th: 16, Fr: 32, Sa: 64

METADATA - Settings

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0xBA6BA2AD, 0x91A4, 0x4AA1, 0xBD, 0xE1, 0x44, 0x5D, 0xBB, 0xB0, 0x5F, 0xD0}
20	16	guid	oid	identifies the instance unique identifier
36	4+2*len(section)	unsigned int + wchar_t[]	section	Section name
40+…	4+2*len(label)	unsigned int + wchar_t[]	label	Label
44+…	4+2*len(data)	unsigned int + wchar_t[]	data	Value

METADATA - Medium (cds)

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0x64417E50, 0xDD02, 0x4D2A, 0x86, 0x9F, 0xEC, 0x9B, 0xA9, 0xDF, 0x68, 0x07}
20	16	guid	oid	identifies the instance unique identifier
36	4	unsigned int	protection	Type of medium: 300: Optical, 301: Encrypted
40	4+2*len(label)	unsigned int + wchar_t[]	label	Label
44+…	4+2*len(data)	unsigned int + wchar_t[]	description	Value
48+…	20	unsigned char[20]	hash	Hash, identifies the instance (either optical or encrypted)
68+…	4	unsigned int	ciphertype	Encryption method: 0: none, 1: aes256ctr, 2: aes256cfb

METADATA - Medium Permission (u2cd)

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0x4D1A9AD7, 0x7339, 0x409A, 0x95, 0x97, 0x3D, 0xAF, 0xE1, 0x79, 0x58, 0xEA}
20	16	guid	oid	identifies the instance unique identifier
36	80	unsigned char[80]	user	User SID
116	16	guid	medium	References Medium::oid
132	4	unsigned int	rights	Access rights, 3: read & write

METADATA - Medium Keys

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0xF8CA6D0E, 0x0637, 0x4432, 0xB0, 0x70, 0xD3, 0xE7, 0x4F, 0x39, 0xFE, 0x47}
20	16	guid	oid	identifies the instance unique identifier
36	20	unsigned char[20]	thumbprint	Digital certificate thumbprint
56	4	unsigned int	ciphertype	Encryption method: 0: none, 1: aes256ctr, 2: aes256cfb
60	16	guid	medium	References Medium::oid
76	4+size(encryptedkey)	unsigned char[]	encryptedkey	Encrypted Medium Key

METADATA - Workstation Option

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0x08079004, 0x2348, 0x4D2B, 0x89, 0x6D, 0xBB, 0xAE, 0x44, 0x70, 0xA0, 0x3D}
20	16	guid	oid	identifies the instance unique identifier
36	4	unsigned int	optid	Option identifier
40	4+2*len(value)	unsigned int + wchar_t[]	value	Option value
44+…	4+2*len(wksname)	unsigned int + wchar_t[]	wksname	Workstation name

METADATA - Global Workstation Option

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0xAE7C130B, 0x125B, 0x4421, 0x9C, 0xD5, 0x1E, 0x73, 0x09, 0x40, 0x53, 0xCA}
20	16	guid	oid	identifies the instance unique identifier
36	4	unsigned int	optid	Option identifier
40	4+2*len(value)	unsigned int + wchar_t[]	value	Option value

METADATA - User Option

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0x637E35AC, 0x0C78, 0x4DBD, 0xBE, 0x97, 0x91, 0x35, 0x22, 0x1A, 0x0E, 0xE2}
20	16	guid	oid	identifies the instance unique identifier
36	4	unsigned int	optid	Option identifier
40	4+2*len(value)	unsigned int + wchar_t[]	value	Option value
44+…	80	unsigned char[80]	sid	User sid
124+…	4	unsigned int	isgroup	Type: 0: user, 1: user group

METADATA - Global User Option

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0x13E6A008, 0xDCA7, 0x4240, 0xA4, 0x09, 0x66, 0x54, 0x3C, 0x75, 0x86, 0x31}
20	16	guid	oid	identifies the instance unique identifier
36	4	unsigned int	optid	Option identifier
40	4+2*len(value)	unsigned int + wchar_t[]	value	Option value

METADATA - File

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	att	{0x2B224442, 0x6CBD, 0x416C, 0xA0, 0xBB, 0x0A, 0xBD, 0x46, 0xC8, 0x9E, 0x55}
20	16	guid	oid	identifies the instance unique identifier
36	4	unsigned int	isgroup	Type: 0: exe, 1: group, 2: script
40	20	unsigned char[20]	hash	SHA1 of the file or file group

METADATA - File Group

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0x29716BAF, 0xCBC5, 0x4892, 0x80, 0x9F, 0x14, 0xA4, 0x07, 0x55, 0x0E, 0x7C}
20	16	guid	oid	identifies the instance unique identifier
36	16	guid	parent	References File Group::oid
52	16	guid	member	References File::oid

METADATA - File GroupPermission

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0x29716BAF, 0xCBC5, 0x4892, 0x80, 0x9F, 0x14, 0xA4, 0x07, 0x55, 0x0E, 0x7C}
20	16	guid	oid	identifies the instance unique identifier
36	80	unsigned char[80]	sid	User sid
116	16	guid	filegrp	References File Group::oid

METADATA - Rule Object

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0x4bbc7e1d, 0x284e, 0x4043, { 0x9d, 0x28, 0xfc, 0x7a, 0xbf, 0x63, 0x1f, 0x7d}
20	16	guid	oid	identifies the instance unique identifier
36				…

METADATA - Rule Target List

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0x691907b, 0x3332, 0x4948, { 0x85, 0x3f, 0x50, 0x13, 0xe0, 0x2e, 0x54, 0x81}
20	16	guid	oid	identifies the instance unique identifier
36				…

METADATA - Rule Element

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0x56116250, 0x489, 0x4680, { 0x80, 0xcb, 0x3a, 0xeb, 0x6e, 0xdd, 0x5b, 0x71}
20	16	guid	oid	identifies the instance unique identifier
36				…

METADATA - Rules

Offset	Length	Type	Name	Description
0	4	unsigned int	size	metadata blob size
4	16	guid	attr	{0x2f625790, 0x4493, 0x487a, { 0x9e, 0x4, 0xe1, 0xf4, 0x4, 0x84, 0xbf, 0x2d}
20	16	guid	oid	identifies the instance unique identifier
36				…