第一部分:
0: kd> kc
#
00 WINTRUST!SoftpubLoadMessage
01 WINTRUST!_VerifyTrust
02 WINTRUST!WinVerifyTrust
03 sfc_os!SfcValidateFileSignature
04 sfc_os!SfcGetValidationData
05 sfc_os!SfcValidateDLL
06 sfc_os!SfcQueueValidationThread
07 kernel32!BaseThreadStart
0: kd> kv
# ChildEBP RetAddr Args to Child
00 007ce9ac 767fe0d8 007cea00 01758ff8 007ceb00 WINTRUST!SoftpubLoadMessage+0xae (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust\softpub\msgprov.cpp @ 112]
01 007cea98 767fe3b8 00000000 7683d010 00000000 WINTRUST!_VerifyTrust+0x11c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust\wintrust\winvtrst.cpp @ 372]
02 007ceabc 76837467 00000000 7683d010 007ceb00 WINTRUST!WinVerifyTrust+0x4c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust\wintrust\winvtrst.cpp @ 167]
03 007cf4b8 768378c5 01770cb8 00000f78 0011a568 sfc_os!SfcValidateFileSignature+0x2ba (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 332]
04 007cf4e0 7683791b 0112916c 0112917c 00000024 sfc_os!SfcGetValidationData+0xe0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2165]
05 007cf724 76838a3d 0112916c 01770cb8 00000000 sfc_os!SfcValidateDLL+0x3a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2222]
06 007cffb8 77e41be7 00000000 00000000 00000000 sfc_os!SfcQueueValidationThread+0x4ce (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 1671]
07 007cffec 00000000 7683856f
第二部分:
HRESULT WINAPI SoftpubLoadMessage(CRYPT_PROVIDER_DATA *pProvData)
{
//
// verify the object that the message pertains to
//
if ((pProvData->pWintrustData->dwUnionChoice == WTD_CHOICE_CATALOG) &&
(_ISINSTRUCT(WINTRUST_CATALOG_INFO, pProvData->pWintrustData->pCatalog->cbStruct,
cbCalculatedFileHash)) &&
(pProvData->pWintrustData->pCatalog->pbCalculatedFileHash) &&
(pProvData->pWintrustData->pCatalog->cbCalculatedFileHash > 0))
{
//
// we've been passed in the calculated file hash so don't redo it, just check it!
//
if (!(pProvData->pPDSip->psIndirectData) ||
!(pProvData->pPDSip->psIndirectData->Digest.pbData) ||
(pProvData->pWintrustData->pCatalog->cbCalculatedFileHash !=
pProvData->pPDSip->psIndirectData->Digest.cbData) ||
(memcmp(pProvData->pWintrustData->pCatalog->pbCalculatedFileHash,
pProvData->pPDSip->psIndirectData->Digest.pbData,
pProvData->pPDSip->psIndirectData->Digest.cbData) != 0))
{
pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV] = TRUST_E_BAD_DIGEST;
return(S_FALSE);
}
}
0: kd> dv
pProvData = 0x007cea00
0: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((WINTRUST!_CRYPT_PROVIDER_DATA *)0x7cea00)
((WINTRUST!_CRYPT_PROVIDER_DATA *)0x7cea00) : 0x7cea00 [Type: _CRYPT_PROVIDER_DATA *]
[+0x000] cbStruct : 0x7c [Type: unsigned long]
[+0x004] pWintrustData : 0x7ceb00 [Type: _WINTRUST_DATA *]
[+0x008] fOpenedFile : 0 [Type: int]
[+0x00c] hWndParent : 0x0 [Type: HWND__ *]
[+0x010] pgActionID : 0x7683d010 : {F750E6C3-38EE-11D1-85E5-00C04FC295EE} [Type: _GUID *]
[+0x014] hProv : 0x1232758 [Type: unsigned long]
[+0x018] dwError : 0x0 [Type: unsigned long]
[+0x01c] dwRegSecuritySettings : 0x2 [Type: unsigned long]
[+0x020] dwRegPolicySettings : 0x23c00 [Type: unsigned long]
[+0x024] psPfns : 0x176e438 [Type: _CRYPT_PROVIDER_FUNCTIONS *]
[+0x028] cdwTrustStepErrors : 0x26 [Type: unsigned long]
[+0x02c] padwTrustStepErrors : 0x16c8598 : 0x0 [Type: unsigned long *]
[+0x030] chStores : 0x1 [Type: unsigned long]
[+0x034] pahStores : 0x1c53b68 [Type: void * *]
[+0x038] dwEncoding : 0x10001 [Type: unsigned long]
[+0x03c] hMsg : 0x16e7290 [Type: void *]
[+0x040] csSigners : 0x0 [Type: unsigned long]
[+0x044] pasSigners : 0x0 [Type: _CRYPT_PROVIDER_SGNR *]
[+0x048] csProvPrivData : 0x1 [Type: unsigned long]
[+0x04c] pasProvPrivData : 0x1c50870 [Type: _CRYPT_PROVIDER_PRIVDATA *]
[+0x050] dwSubjectChoice : 0x1 [Type: unsigned long]
[+0x054] pPDSip : 0x1c20700 [Type: _PROVDATA_SIP *]
[+0x058] pszUsageOID : 0x767f319c : "1.3.6.1.4.1.311.10.3.5" [Type: char *]
[+0x05c] fRecallWithState : 0 [Type: int]
[+0x060] sftSystemTime [Type: _FILETIME]
[+0x068] pszCTLSignerUsageOID : 0x0 [Type: char *]
[+0x06c] dwProvFlags : 0x80001080 [Type: unsigned long]
[+0x070] dwFinalError : 0x0 [Type: unsigned long]
[+0x074] pRequestUsage : 0x768191d4 [Type: _CERT_USAGE_MATCH *]
[+0x078] dwTrustPubSettings : 0x0 [Type: unsigned long]
0: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((WINTRUST!_WINTRUST_DATA *)0x7ceb00)
((WINTRUST!_WINTRUST_DATA *)0x7ceb00) : 0x7ceb00 [Type: _WINTRUST_DATA *]
[+0x000] cbStruct : 0x2c [Type: unsigned long]
[+0x004] pPolicyCallbackData : 0x7cef60 [Type: void *]
[+0x008] pSIPClientData : 0x0 [Type: void *]
[+0x00c] dwUIChoice : 0x2 [Type: unsigned long]
[+0x010] fdwRevocationChecks : 0x0 [Type: unsigned long]
[+0x014] dwUnionChoice : 0x2 [Type: unsigned long]
[+0x018] pFile : 0x7ceadc [Type: WINTRUST_FILE_INFO_ *]
[+0x018] pCatalog : 0x7ceadc [Type: WINTRUST_CATALOG_INFO_ *]
[+0x018] pBlob : 0x7ceadc [Type: WINTRUST_BLOB_INFO_ *]
[+0x018] pSgnr : 0x7ceadc [Type: WINTRUST_SGNR_INFO_ *]
[+0x018] pCert : 0x7ceadc [Type: WINTRUST_CERT_INFO_ *]
[+0x01c] dwStateAction : 0x1 [Type: unsigned long]
[+0x020] hWVTStateData : 0x0 [Type: void *]
[+0x024] pwszURLReference : 0x0 [Type: unsigned short *]
[+0x028] dwProvFlags : 0x1080 [Type: unsigned long]
0: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((WINTRUST!WINTRUST_CATALOG_INFO_ *)0x7ceadc)
((WINTRUST!WINTRUST_CATALOG_INFO_ *)0x7ceadc) : 0x7ceadc [Type: WINTRUST_CATALOG_INFO_ *]
[+0x000] cbStruct : 0x24 [Type: unsigned long]
[+0x004] dwCatalogVersion : 0x0 [Type: unsigned long]
[+0x008] pcwszCatalogFilePath : 0x7ceb50 : 0x43 [Type: unsigned short *]
[+0x00c] pcwszMemberTag : 0x7ced58 : 0x70 [Type: unsigned short *]
[+0x010] pcwszMemberFilePath : 0x0 [Type: unsigned short *]
[+0x014] hMemberFile : 0x0 [Type: void *]
[+0x018] pbCalculatedFileHash : 0x12357b0 : 0x2c [Type: unsigned char *]
[+0x01c] cbCalculatedFileHash : 0x14 [Type: unsigned long]
[+0x020] pcCatalogContext : 0x0 [Type: _CTL_CONTEXT *]
0: kd> db 0x12357b0
012357b0 2c ac 74 89 bc 3c f9 74-71 ec 23 93 d4 38 57 d5 ,.t..<.tq.#..8W.
012357c0 c0 84 9d 6b
0: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((WINTRUST!_CRYPT_PROVIDER_DATA *)0x7cea00)
((WINTRUST!_CRYPT_PROVIDER_DATA *)0x7cea00) : 0x7cea00 [Type: _CRYPT_PROVIDER_DATA *]
[+0x000] cbStruct : 0x7c [Type: unsigned long]
[+0x004] pWintrustData : 0x7ceb00 [Type: _WINTRUST_DATA *]
[+0x008] fOpenedFile : 0 [Type: int]
[+0x00c] hWndParent : 0x0 [Type: HWND__ *]
[+0x010] pgActionID : 0x7683d010 : {F750E6C3-38EE-11D1-85E5-00C04FC295EE} [Type: _GUID *]
[+0x014] hProv : 0x1232758 [Type: unsigned long]
[+0x018] dwError : 0x0 [Type: unsigned long]
[+0x01c] dwRegSecuritySettings : 0x2 [Type: unsigned long]
[+0x020] dwRegPolicySettings : 0x23c00 [Type: unsigned long]
[+0x024] psPfns : 0x176e438 [Type: _CRYPT_PROVIDER_FUNCTIONS *]
[+0x028] cdwTrustStepErrors : 0x26 [Type: unsigned long]
[+0x02c] padwTrustStepErrors : 0x16c8598 : 0x0 [Type: unsigned long *]
[+0x030] chStores : 0x1 [Type: unsigned long]
[+0x034] pahStores : 0x1c53b68 [Type: void * *]
[+0x038] dwEncoding : 0x10001 [Type: unsigned long]
[+0x03c] hMsg : 0x16e7290 [Type: void *]
[+0x040] csSigners : 0x0 [Type: unsigned long]
[+0x044] pasSigners : 0x0 [Type: _CRYPT_PROVIDER_SGNR *]
[+0x048] csProvPrivData : 0x1 [Type: unsigned long]
[+0x04c] pasProvPrivData : 0x1c50870 [Type: _CRYPT_PROVIDER_PRIVDATA *]
[+0x050] dwSubjectChoice : 0x1 [Type: unsigned long]
[+0x054] pPDSip : 0x1c20700 [Type: _PROVDATA_SIP *]
[+0x058] pszUsageOID : 0x767f319c : "1.3.6.1.4.1.311.10.3.5" [Type: char *]
[+0x05c] fRecallWithState : 0 [Type: int]
[+0x060] sftSystemTime [Type: _FILETIME]
[+0x068] pszCTLSignerUsageOID : 0x0 [Type: char *]
[+0x06c] dwProvFlags : 0x80001080 [Type: unsigned long]
[+0x070] dwFinalError : 0x0 [Type: unsigned long]
[+0x074] pRequestUsage : 0x768191d4 [Type: _CERT_USAGE_MATCH *]
[+0x078] dwTrustPubSettings : 0x0 [Type: unsigned long]
0: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((WINTRUST!_PROVDATA_SIP *)0x1c20700)
((WINTRUST!_PROVDATA_SIP *)0x1c20700) : 0x1c20700 [Type: _PROVDATA_SIP *]
[+0x000] cbStruct : 0x28 [Type: unsigned long]
[+0x004] gSubject : {C689AAB8-8E78-11D0-8C47-00C04FC295EE} [Type: _GUID]
[+0x014] pSip : 0x1c52868 [Type: SIP_DISPATCH_INFO_ *]
[+0x018] pCATSip : 0x1c51a78 [Type: SIP_DISPATCH_INFO_ *]
[+0x01c] psSipSubjectInfo : 0x1c53710 [Type: SIP_SUBJECTINFO_ *]
[+0x020] psSipCATSubjectInfo : 0x1c527f0 [Type: SIP_SUBJECTINFO_ *]
[+0x024] psIndirectData : 0x16c9a78 [Type: SIP_INDIRECT_DATA_ *]
0: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((WINTRUST!SIP_INDIRECT_DATA_ *)0x16c9a78)
((WINTRUST!SIP_INDIRECT_DATA_ *)0x16c9a78) : 0x16c9a78 [Type: SIP_INDIRECT_DATA_ *]
[+0x000] Data [Type: _CRYPT_ATTRIBUTE_TYPE_VALUE]
[+0x00c] DigestAlgorithm [Type: _CRYPT_ALGORITHM_IDENTIFIER]
[+0x018] Digest [Type: _CRYPTOAPI_BLOB]
0: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((WINTRUST!_CRYPTOAPI_BLOB *)0x16c9a90))
(*((WINTRUST!_CRYPTOAPI_BLOB *)0x16c9a90)) [Type: _CRYPTOAPI_BLOB]
[+0x000] cbData : 0x14 [Type: unsigned long]
[+0x004] pbData : 0x1715b40 : 0x2c [Type: unsigned char *]
0: kd> db 0x1715b40
01715b40 2c ac 74 89 bc 3c f9 74-71 ec 23 93 d4 38 57 d5 ,.t..<.tq.#..8W.
01715b50 c0 84 9d 6b 7c 95 81 76-09 00 04 00 8c 01 08 01 ...k|..v........
0: kd> db 0x12357b0
012357b0 2c ac 74 89 bc 3c f9 74-71 ec 23 93 d4 38 57 d5 ,.t..<.tq.#..8W.
012357c0 c0 84 9d 6b
第三部分:
nt5inf.cat里面查找 2 C A C 7 4 8 9
0?&R 2 C A C 7 4 8 9 B C 3 C F 9 7 4 7 1 E C 2 3 9 3 D 4 3 8 5 7 D 5 C 0 8 4 9 D 6 B 1佅0b
+? 1T0RL
- 基本类型 PART2)
)
:分部积分法)
)
