SQL Server
Communication Protocol package format
Author: bluestn
Version: 1.0
Background description:The communication protocol package format is not officially published. Microsoft has not published the SQL Server TCP/IP communication protocol package format, the package analysis tool is used to expand the SQL server application. its integrity and reliability deserve further improvement.
Header Format:SQL Server uses commands/responses for communication. Regardless of the command/response package, the basic packet header format is as follows: struct t_sqlservertcppackagehead {word wcmdid; // The Two-byte package command ID word wpackagelen; // The length of the entire package DWORD dwunknown; // unknown four-byte field };
Wcmdid
There are several types:0x0112: Connection Request package 0x0104: response package 0x0110: ODBC login package (encrypted authentication) 0x0002: oledb-based logon package (with clear code verification) 0x0101: Send database query command package 0x0102: Unknown 0x0000: corresponding to 0x0002, server Response after oledb login package is sent
Wpackagelen
Sent in bytes. Two bytes in total.That is to say, the maximum communication protocol package is 65535 bytes.
Formats of several specific command packages
ODBC login package (encrypted authentication)The command ID is 0x0110 starting from the 2C bytes, indicating the offset value + field length information of each field required for the connection parameters contained in the package. If the offset value is calculated relative to the header 0th bytes, You need to modify the value by adding 8. The plaintext fields are encoded in unicode format. The following fields are specified from byte 2C: 1. Client host name 2. Username used for Logon 3. encrypted password used for Logon 4. Agent Used for Logon 5. Unknown 6. application used for Logon 7. Unknown 8, unknown
Oledb login package (plaintext verification)Command ID: 0x0002 starting from 8th bytes, encoded in ANSI mode, followed by: 1, Host Name (up to 30 bytes), less than 30 bytes complement 30 bits with 0 X, the next digit indicates the length of the field (excluding the zeroth part ). 2. the username used for Logon (up to 30 bytes). If less than 30 bytes are used, 0x00 is used to make up 30 digits. The next digit indicates the length of this field (excluding the zeros ). 3. The Unencrypted Password used for Logon (up to 30 bytes), with less than 30 bytes supplemented with 0x00, the next digit indicates the length of the field (excluding the zeroth part ). 4. Unknown 5. The proxy name used for Logon (up to 63 bytes). If less than 63 bytes are used, use 0x00 to make up 63 digits, the next digit indicates the length of the field (excluding the zeroth part ).
Oledb response packagesCommand ID: 0x0104. The message body is ANSI encoded. For the logon response error message package, the format is as follows: fields starting from 8th bytes are: 1, unknown (1 byte) 2, message length (2 bytes), starting from this field. 3. error number 4, error level + status (4 bytes) 5, message length (2 bytes), only including the length of the message file information. 6. Message Information (ANSI-encoded text), ending at 00 00 00. 7. Fixed FD 02 00 00 00 00 00
ODBC response packageCommand ID: 0x0104. The message body is encoded in unicode format. The format of the logon response error message package is as follows:
The fields starting from 8th bytes are: 1 unknown (1 byte) 2 message length (2 bytes), starting from this field. 3. error number 4, error level + status (4 bytes) 5, message length (2 bytes), only including the length of the message file information (refer to the length of the Unicode string ). 6. Message Information (ANSI-encoded text), ending at 00 00 00. 7. Fixed FD 02 00 00 00 00 00
