CRYPT32!ASN1Dec_SignedDataWithBlobs函数分析之CRYPT32!ASN1Dec_AttributesNC的作用是得到三个证书

第一部分：

static int ASN1CALL ASN1Dec_SignedDataWithBlobs(ASN1decoding_t dec, ASN1uint32_t tag, SignedDataWithBlobs *val)
{

......

    if (t == 0x80000000) {
(val)->o[0] |= 0x80;
if (!ASN1Dec_CertificatesNC(dd, 0x80000000, &(val)->certificates))//得到(val)->certificates
return 0;
}

第二部分：

1: kd> p
CRYPT32!ASN1Dec_SignedDataWithBlobs+0x92:
001b:75c7d32c e806e6ffff      call    CRYPT32!ASN1Dec_AttributesNC (75c7b937)
1: kd> t
CRYPT32!ASN1Dec_AttributesNC:
001b:75c7b937 55              push    ebp
1: kd> kc
#
00 CRYPT32!ASN1Dec_AttributesNC
01 CRYPT32!ASN1Dec_SignedDataWithBlobs
02 MSASN1!ASN1_Decode
03 CRYPT32!PkiAsn1Decode
04 CRYPT32!ICM_UpdateDecodingSignedData
05 CRYPT32!CryptMsgUpdate
06 WINTRUST!_GetMessage
07 WINTRUST!SoftpubLoadMessage
08 WINTRUST!_VerifyTrust
09 WINTRUST!WinVerifyTrust
0a sfc_os!SfcValidateFileSignature
0b sfc_os!SfcGetValidationData
0c sfc_os!SfcValidateDLL
0d sfc_os!SfcQueueValidationThread
0e kernel32!BaseThreadStart

第三部分：

1: kd> dv
dec = 0x012337d0
tag = 0x730d0
val = 0x0007ea60

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!SignedDataWithBlobs *)0x7ea60)
((CRYPT32!SignedDataWithBlobs *)0x7ea60)                 : 0x7ea60 [Type: SignedDataWithBlobs *]
[+0x000] bit_mask         : 0x80 [Type: unsigned short]
[+0x000] o                [Type: unsigned char [1]]
[+0x004] version          : 1 [Type: long]
[+0x008] digestAlgorithms [Type: DigestAlgorithmIdentifiersNC]
[+0x010] contentInfo      [Type: ContentInfoNC]
[+0x060] certificates     [Type: CertificatesNC]

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!CertificatesNC *)0x7eac0))
(*((CRYPT32!CertificatesNC *)0x7eac0))                 [Type: CertificatesNC]
[+0x000] count            : 0x3 [Type: unsigned long]
[+0x004] value            : 0x72f18 [Type: tagASN1open_t *]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!tagASN1open_t *)0x72f18)
((CRYPT32!tagASN1open_t *)0x72f18)                 : 0x72f18 [Type: tagASN1open_t *]
[+0x000] length           : 0x31d [Type: unsigned long]
[+0x004] encoded          : 0x1e95784 [Type: void *]
[+0x004] value            : 0x1e95784 [Type: void *]
1: kd> dt CRYPT32!tagASN1open_t  0x72f18+8
+0x000 length           : 0x68c
+0x004 encoded          : 0x01e95aa1 Void
+0x004 value            : 0x01e95aa1 Void
1: kd> dt CRYPT32!tagASN1open_t  0x72f18+10
+0x000 length           : 0x69b
+0x004 encoded          : 0x01e9612d Void
+0x004 value            : 0x01e9612d Void

1: kd> ?0x31d
Evaluate expression: 797 = 0000031d
1: kd> ?0x68c
Evaluate expression: 1676 = 0000068c
1: kd> ?0x69b
Evaluate expression: 1691 = 0000069b

第四部分：

1: kd> ?0x1e95784-0x1e00020
Evaluate expression: 612196 = 00095764

1: kd> ?0x01e95aa1-0x1e00020
Evaluate expression: 612993 = 00095a81

1: kd> ?0x01e9612d-0x1e00020
Evaluate expression: 614669 = 0009610d

第五部分：

1: kd> ?0x1e95784-0x1e00020
Evaluate expression: 612196 = 00095764

1: kd> ?0x01e95aa1-0x1e00020
Evaluate expression: 612993 = 00095a81

1: kd> ?0x01e9612d-0x1e00020
Evaluate expression: 614669 = 0009610d