UEDIT打开nt5inf.cat。

第一部分：

BOOL _GetMessage(CRYPT_PROVIDER_DATA *pProvData)
{
DWORD               dwMsgEncoding;
SIP_SUBJECTINFO     *pSubjInfo;
SIP_DISPATCH_INFO   *pSip;

    DWORD               cbEncodedMsg;
BYTE                *pbEncodedMsg;

    DWORD               dwMsgType;
HCRYPTMSG           hMsg;
HCRYPTPROV          hProv;

    dwMsgEncoding   = 0;
dwMsgType       = 0;

    switch(pProvData->pWintrustData->dwUnionChoice)
{
case WTD_CHOICE_CATALOG:
if ((_ISINSTRUCT(CRYPT_PROVIDER_DATA, pProvData->cbStruct, fRecallWithState)) &&
(pProvData->fRecallWithState) &&
(pProvData->hMsg))
{
return(TRUE);
}

            pSip        = pProvData->pPDSip->pCATSip;
pSubjInfo   = pProvData->pPDSip->psSipCATSubjectInfo;
break;

        case WTD_CHOICE_BLOB:
case WTD_CHOICE_FILE:
pSip        = pProvData->pPDSip->pSip;
pSubjInfo   = pProvData->pPDSip->psSipSubjectInfo;
break;

        default:
pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV] = TRUST_E_NOSIGNATURE;
return(FALSE);
}

    cbEncodedMsg = 0;

    pSip->pfGet(pSubjInfo, &dwMsgEncoding, 0, &cbEncodedMsg, NULL);

    if (cbEncodedMsg == 0)
{
pProvData->padwTrustStepErrors[TRUSTERROR_STEP_SIP] = GetLastError();
pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV] = TRUST_E_NOSIGNATURE;
return(FALSE);
}

    if (!(pbEncodedMsg = (BYTE *)pProvData->psPfns->pfnAlloc(cbEncodedMsg)))
{
pProvData->dwError = GetLastError();
pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV] = TRUST_E_SYSTEM_ERROR;
return(FALSE);
}

    if (!(pSip->pfGet(pSubjInfo, &dwMsgEncoding, 0, &cbEncodedMsg, pbEncodedMsg)))
{
pProvData->padwTrustStepErrors[TRUSTERROR_STEP_SIP] = GetLastError();
pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV] = TRUST_E_NOSIGNATURE;

        pProvData->psPfns->pfnFree(pbEncodedMsg);

        return(FALSE);
}

倒数第三个参数是0

第二部分：

0: kd> p
WINTRUST!_GetMessage+0x90:
001b:76804d15 751d            jne     WINTRUST!_GetMessage+0xaf (76804d34)
0: kd> p
WINTRUST!_GetMessage+0xaf:
001b:76804d34 50              push    eax
0: kd> dv
pProvData = 0x00096934
dwMsgType = 0
pbEncodedMsg = 0x01e00020 ""
dwMsgEncoding = 0x10001
cbEncodedMsg = 0x96934
1: kd> bc 33
1: kd> ?0x96934
Evaluate expression: 616756 = 00096934
0: kd> db 0x01e00020
01e00020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01e00030  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01e00040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01e00050  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01e00060  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01e00070  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01e00080  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01e00090  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0: kd> p
WINTRUST!_GetMessage+0xb0:
001b:76804d35 8d4508          lea     eax,[ebp+8]
0: kd> p
WINTRUST!_GetMessage+0xb3:
001b:76804d38 50              push    eax
0: kd> p
WINTRUST!_GetMessage+0xb4:
001b:76804d39 6a00            push    0            倒数第三个参数是0
0: kd> p
WINTRUST!_GetMessage+0xb6:
001b:76804d3b 8d45fc          lea     eax,[ebp-4]
0: kd> p
WINTRUST!_GetMessage+0xb9:
001b:76804d3e 50              push    eax
0: kd> p
WINTRUST!_GetMessage+0xba:
001b:76804d3f 53              push    ebx
0: kd> p
WINTRUST!_GetMessage+0xbb:
001b:76804d40 ff5708          call    dword ptr [edi+8]
0: kd> r
eax=007ce990 ebx=01c527f0 ecx=00096934 edx=00290c14 esi=007cea00 edi=01c51a78
eip=76804d40 esp=007ce968 ebp=007ce994 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
WINTRUST!_GetMessage+0xbb:
001b:76804d40 ff5708          call    dword ptr [edi+8] ds:0023:01c51a80={CRYPT32!CryptSIPGetSignedDataMsg (75c82759)}
0: kd> p
WINTRUST!_GetMessage+0xbe:
001b:76804d43 85c0            test    eax,eax

第三部分：

0: kd> dv
pProvData = 0x00096934
dwMsgType = 0
pbEncodedMsg = 0x01e00020 "0???"
dwMsgEncoding = 0x10001
cbEncodedMsg = 0x96934
0: kd> db 0x01e00020
01e00020  30 83 09 69 2f 06 09 2a-86 48 86 f7 0d 01 07 02  0..i/..*.H......
01e00030  a0 83 09 69 1f 30 83 09-69 1a 02 01 01 31 0b 30  ...i.0..i....1.0
01e00040  09 06 05 2b 0e 03 02 1a-05 00 30 83 09 57 31 06  ...+......0..W1.
01e00050  09 2b 06 01 04 01 82 37-0a 01 a0 83 09 57 21 30  .+.....7.....W!0
01e00060  83 09 57 1c 30 0c 06 0a-2b 06 01 04 01 82 37 0c  ..W.0...+.....7.
01e00070  01 01 04 10 bb fd 30 fb-6f a3 d9 40 82 26 85 87  ......0.o..@.&..
01e00080  87 cd 89 4b 17 0d 32 34-30 39 31 35 30 33 34 35  ...K..2409150345
01e00090  30 36 5a 30 0e 06 0a 2b-06 01 04 01 82 37 0c 01  06Z0...+.....7..
0: kd> dv
pProvData = 0x00096934
dwMsgType = 0
pbEncodedMsg = 0x01e00020 "0???"
dwMsgEncoding = 0x10001
cbEncodedMsg = 0x96934

第四部分：参考信息

0: kd> kc
#
00 WINTRUST!CryptSIPGetSignedDataMsg
01 CRYPT32!CryptSIPGetSignedDataMsg
02 WINTRUST!_GetMessage
03 WINTRUST!SoftpubLoadMessage
04 WINTRUST!_VerifyTrust
05 WINTRUST!WinVerifyTrust
06 sfc_os!SfcValidateFileSignature
07 sfc_os!SfcGetValidationData
08 sfc_os!SfcValidateDLL
09 sfc_os!SfcQueueValidationThread
0a kernel32!BaseThreadStart