当前位置：首页 > news >正文

WINTRUST!_GetMessage函数分析之CRYPT32!CryptSIPGetSignedDataMsg函数的作用是得到nt5inf.cat的信息

news 2025/8/30 18:02:46

UEDIT打开nt5inf.cat。

第一部分：

BOOL _GetMessage(CRYPT_PROVIDER_DATA *pProvData)
{
DWORD               dwMsgEncoding;
SIP_SUBJECTINFO     *pSubjInfo;
SIP_DISPATCH_INFO   *pSip;

DWORD cbEncodedMsg;
BYTE *pbEncodedMsg;

    DWORD               dwMsgType;
HCRYPTMSG           hMsg;
HCRYPTPROV          hProv;

dwMsgEncoding = 0;
dwMsgType = 0;

switch(pProvData->pWintrustData->dwUnionChoice)
{
case WTD_CHOICE_CATALOG:
if ((_ISINSTRUCT(CRYPT_PROVIDER_DATA, pProvData->cbStruct, fRecallWithState)) &&
(pProvData->fRecallWithState) &&
(pProvData->hMsg))
{
return(TRUE);
}

pSip = pProvData->pPDSip->pCATSip;
pSubjInfo = pProvData->pPDSip->psSipCATSubjectInfo;
break;

        case WTD_CHOICE_BLOB:
case WTD_CHOICE_FILE:
pSip        = pProvData->pPDSip->pSip;
pSubjInfo   = pProvData->pPDSip->psSipSubjectInfo;
break;

default:
pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV] = TRUST_E_NOSIGNATURE;
return(FALSE);
}

cbEncodedMsg = 0;

pSip->pfGet(pSubjInfo, &dwMsgEncoding, 0, &cbEncodedMsg, NULL);

if (cbEncodedMsg == 0)
{
pProvData->padwTrustStepErrors[TRUSTERROR_STEP_SIP] = GetLastError();
pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV] = TRUST_E_NOSIGNATURE;
return(FALSE);
}

if (!(pbEncodedMsg = (BYTE *)pProvData->psPfns->pfnAlloc(cbEncodedMsg)))
{
pProvData->dwError = GetLastError();
pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV] = TRUST_E_SYSTEM_ERROR;
return(FALSE);
}

if (!(pSip->pfGet(pSubjInfo, &dwMsgEncoding, 0, &cbEncodedMsg, pbEncodedMsg)))
{
pProvData->padwTrustStepErrors[TRUSTERROR_STEP_SIP] = GetLastError();
pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV] = TRUST_E_NOSIGNATURE;

pProvData->psPfns->pfnFree(pbEncodedMsg);

return(FALSE);
}

倒数第三个参数是0

第二部分：

0: kd> p
WINTRUST!_GetMessage+0x90:
001b:76804d15 751d            jne     WINTRUST!_GetMessage+0xaf (76804d34)
0: kd> p
WINTRUST!_GetMessage+0xaf:
001b:76804d34 50              push    eax
0: kd> dv
pProvData = 0x00096934
dwMsgType = 0
pbEncodedMsg = 0x01e00020 ""
dwMsgEncoding = 0x10001
cbEncodedMsg = 0x96934
1: kd> bc 33
1: kd> ?0x96934
Evaluate expression: 616756 = 00096934
0: kd> db 0x01e00020
01e00020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01e00030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01e00040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01e00050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01e00060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01e00070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01e00080 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01e00090 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0: kd> p
WINTRUST!_GetMessage+0xb0:
001b:76804d35 8d4508          lea     eax,[ebp+8]
0: kd> p
WINTRUST!_GetMessage+0xb3:
001b:76804d38 50              push    eax
0: kd> p
WINTRUST!_GetMessage+0xb4:
001b:76804d39 6a00            push    0           倒数第三个参数是0
0: kd> p
WINTRUST!_GetMessage+0xb6:
001b:76804d3b 8d45fc          lea     eax,[ebp-4]
0: kd> p
WINTRUST!_GetMessage+0xb9:
001b:76804d3e 50              push    eax
0: kd> p
WINTRUST!_GetMessage+0xba:
001b:76804d3f 53              push    ebx
0: kd> p
WINTRUST!_GetMessage+0xbb:
001b:76804d40 ff5708          call    dword ptr [edi+8]
0: kd> r
eax=007ce990 ebx=01c527f0 ecx=00096934 edx=00290c14 esi=007cea00 edi=01c51a78
eip=76804d40 esp=007ce968 ebp=007ce994 iopl=0         nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000202
WINTRUST!_GetMessage+0xbb:
001b:76804d40 ff5708          call    dword ptr [edi+8] ds:0023:01c51a80={CRYPT32!CryptSIPGetSignedDataMsg (75c82759)}
0: kd> p
WINTRUST!_GetMessage+0xbe:
001b:76804d43 85c0            test    eax,eax

第三部分：

0: kd> dv
pProvData = 0x00096934
dwMsgType = 0
pbEncodedMsg = 0x01e00020 "0???"
dwMsgEncoding = 0x10001
cbEncodedMsg = 0x96934
0: kd> db 0x01e00020
01e00020 30 83 09 69 2f 06 09 2a-86 48 86 f7 0d 01 07 02 0..i/..*.H......
01e00030 a0 83 09 69 1f 30 83 09-69 1a 02 01 01 31 0b 30 ...i.0..i....1.0
01e00040 09 06 05 2b 0e 03 02 1a-05 00 30 83 09 57 31 06 ...+......0..W1.
01e00050 09 2b 06 01 04 01 82 37-0a 01 a0 83 09 57 21 30 .+.....7.....W!0
01e00060 83 09 57 1c 30 0c 06 0a-2b 06 01 04 01 82 37 0c ..W.0...+.....7.
01e00070 01 01 04 10 bb fd 30 fb-6f a3 d9 40 82 26 85 87 ......0.o..@.&..
01e00080 87 cd 89 4b 17 0d 32 34-30 39 31 35 30 33 34 35 ...K..2409150345
01e00090 30 36 5a 30 0e 06 0a 2b-06 01 04 01 82 37 0c 01 06Z0...+.....7..
0: kd> dv
pProvData = 0x00096934
dwMsgType = 0
pbEncodedMsg = 0x01e00020 "0???"
dwMsgEncoding = 0x10001
cbEncodedMsg = 0x96934

第四部分：参考信息

0: kd> kc
#
00 WINTRUST!CryptSIPGetSignedDataMsg
01 CRYPT32!CryptSIPGetSignedDataMsg
02 WINTRUST!_GetMessage
03 WINTRUST!SoftpubLoadMessage
04 WINTRUST!_VerifyTrust
05 WINTRUST!WinVerifyTrust
06 sfc_os!SfcValidateFileSignature
07 sfc_os!SfcGetValidationData
08 sfc_os!SfcValidateDLL
09 sfc_os!SfcQueueValidationThread
0a kernel32!BaseThreadStart

查看全文

http://www.xdnf.cn/news/1395901.html