0000: 30 83 09 69 2f                            ; SEQUENCE (9692f Bytes)
0005:    06 09                                  ; OBJECT_IDENTIFIER (9 Bytes)
0007:    |  2a 86 48 86 f7 0d 01 07  02
|     ; "PKCS 7 已签名 (1.2.840.113549.1.7.2)"
0010:    a0 83 09 69 1f                         ; CONTEXT_SPECIFIC (0) (9691f Bytes)
0015:       30 83 09 69 1a                      ; SEQUENCE (9691a Bytes)
001a:          02 01                            ; INTEGER (1 Bytes)
001c:          |  01
001d:          31 0b                            ; SET (b Bytes)
001f:          |  30 09                         ; SEQUENCE (9 Bytes)
0021:          |     06 05                      ; OBJECT_IDENTIFIER (5 Bytes)
0023:          |     |  2b 0e 03 02 1a
|     |     ; "sha1 (1.3.14.3.2.26)"
0028:          |     05 00                      ; NULL (0 Bytes)
002a:          30 83 09 57 31                   ; SEQUENCE (95731 Bytes)
002f:          |  06 09                         ; OBJECT_IDENTIFIER (9 Bytes)
0031:          |  |  2b 06 01 04 01 82 37 0a  01
|  |     ; "证书信任列表 (1.3.6.1.4.1.311.10.1)"
003a:          |  a0 83 09 57 21                ; CONTEXT_SPECIFIC (0) (95721 Bytes)
003f:          |     30 83 09 57 1c             ; SEQUENCE (9571c Bytes)
0044:          |        30 0c                   ; SEQUENCE (c Bytes)
0046:          |        |  06 0a                ; OBJECT_IDENTIFIER (a Bytes)
0048:          |        |     2b 06 01 04 01 82 37 0c  01 01
|        |        ; "szOID_CATALOG_LIST (1.3.6.1.4.1.311.12.1.1)"
0052:          |        04 10                   ; OCTET_STRING (10 Bytes)
0054:          |        |  bb fd 30 fb 6f a3 d9 40  82 26 85 87 87 cd 89 4b  ; ..0.o..@.&.....K
0064:          |        17 0d                   ; UTCTime (d Bytes)
0066:          |        |  32 34 30 39 31 35 30 33  34 35 30 36 5a           ; 240915034506Z
|        |     ; "15.09.2024 11:45:06"
0073:          |        30 0e                   ; SEQUENCE (e Bytes)
0075:          |        |  06 0a                ; OBJECT_IDENTIFIER (a Bytes)
0077:          |        |  |  2b 06 01 04 01 82 37 0c  01 02
|        |  |     ; "szOID_CATALOG_LIST_MEMBER (1.3.6.1.4.1.311.12.1.2)"
0081:          |        |  05 00                ; NULL (0 Bytes)

第一部分：

0: kd> t
CRYPT32!CryptMsgUpdate:
001b:75c79c1a 6a2c            push    2Ch
0: kd> kc
#
00 CRYPT32!CryptMsgUpdate
01 WINTRUST!_GetMessage
02 WINTRUST!SoftpubLoadMessage
03 WINTRUST!_VerifyTrust
04 WINTRUST!WinVerifyTrust
05 sfc_os!SfcValidateFileSignature
06 sfc_os!SfcGetValidationData
07 sfc_os!SfcValidateDLL
08 sfc_os!SfcQueueValidationThread
09 kernel32!BaseThreadStart
0: kd> kv
# ChildEBP RetAddr  Args to Child              
00 007ce964 76804dc2 016e7290 01e00020 00096934 CRYPT32!CryptMsgUpdate (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\wincrmsg\wincrmsg.cpp @ 10279]
01 007ce994 76804e66 00096934 7683d010 76819334 WINTRUST!_GetMessage+0x13d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust\softpub\msgprov.cpp @ 551]
02 007ce9ac 767fe0d8 007cea00 01751ff8 007ceb00 WINTRUST!SoftpubLoadMessage+0x73 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust\softpub\msgprov.cpp @ 83]
03 007cea98 767fe3b8 00000000 7683d010 00000000 WINTRUST!_VerifyTrust+0x11c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust\wintrust\winvtrst.cpp @ 372]
04 007ceabc 76837467 00000000 7683d010 007ceb00 WINTRUST!WinVerifyTrust+0x4c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust\wintrust\winvtrst.cpp @ 167]
05 007cf4b8 768378c5 017506a8 00000678 0011a568 sfc_os!SfcValidateFileSignature+0x2ba (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 332]
06 007cf4e0 768379c5 007cf510 007cf508 00000010 sfc_os!SfcGetValidationData+0xe0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2165]
07 007cf724 76838a3d 0112916c 017506a8 00000000 sfc_os!SfcValidateDLL+0xe4 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2251]
08 007cffb8 77e41be7 00000000 00000000 00000000 sfc_os!SfcQueueValidationThread+0x4ce (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 1671]
09 007cffec 00000000 7683856f 00000000 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 533]
0: kd> dv
hCryptMsg = 0x016e7290
pbData = 0x01e00020 "0???"
cbData = 0x96934
fFinal = 0n1
dwError = 0xffffffff
fRet = 0n0
pci = 0x75c6fc74
Asn1Err = 0n272 (No matching enumerant)
cb = 0x75c9d114
pDec = 0x007cffdc
pb = 0x75c25e20 "???"
lth = 0n8186136

第二部分：

0: kd> p
CRYPT32!CryptMsgUpdate+0x1b2:
001b:75c79dcc e83b110200      call    CRYPT32!PkiAsn1Decode (75c9af0c)
0: kd> t
CRYPT32!PkiAsn1Decode:
001b:75c9af0c 55              push    ebp
0: kd> kc
#
00 CRYPT32!PkiAsn1Decode
01 CRYPT32!CryptMsgUpdate
02 WINTRUST!_GetMessage
03 WINTRUST!SoftpubLoadMessage
04 WINTRUST!_VerifyTrust
05 WINTRUST!WinVerifyTrust
06 sfc_os!SfcValidateFileSignature
07 sfc_os!SfcGetValidationData
08 sfc_os!SfcValidateDLL
09 sfc_os!SfcQueueValidationThread
0a kernel32!BaseThreadStart
0: kd> dv
pDec = 0x012337d0
ppvAsn1Info = 0x007ce944
id = 0x13
pbEncoded = 0x01e00020 "0???"
cbEncoded = 0x96934
0: kd> db 0x01e00020
01e00020  30 83 09 69 2f 06 09 2a-86 48 86 f7 0d 01 07 02  0..i/..*.H......
01e00030  a0 83 09 69 1f 30 83 09-69 1a 02 01 01 31 0b 30  ...i.0..i....1.0
01e00040  09 06 05 2b 0e 03 02 1a-05 00 30 83 09 57 31 06  ...+......0..W1.
01e00050  09 2b 06 01 04 01 82 37-0a 01 a0 83 09 57 21 30  .+.....7.....W!0
01e00060  83 09 57 1c 30 0c 06 0a-2b 06 01 04 01 82 37 0c  ..W.0...+.....7.
01e00070  01 01 04 10 bb fd 30 fb-6f a3 d9 40 82 26 85 87  ......0.o..@.&..
01e00080  87 cd 89 4b 17 0d 32 34-30 39 31 35 30 33 34 35  ...K..2409150345
01e00090  30 36 5a 30 0e 06 0a 2b-06 01 04 01 82 37 0c 01  06Z0...+.....7..
0: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!ASN1decoding_s *)0x12337d0)
((CRYPT32!ASN1decoding_s *)0x12337d0)                 : 0x12337d0 [Type: ASN1decoding_s *]
[+0x000] magic            : 0x44434544 [Type: unsigned long]
[+0x004] version          : 0x0 [Type: unsigned long]
[+0x008] module           : 0x75788 [Type: tagASN1module_t *]
[+0x00c] buf              : 0x16cdde1 : 0x30 [Type: unsigned char *]
[+0x010] size             : 0xb [Type: unsigned long]
[+0x014] len              : 0xb [Type: unsigned long]
[+0x018] err              : ASN1_SUCCESS (0) [Type: tagASN1error_e]
[+0x01c] bit              : 0x0 [Type: unsigned long]
[+0x020] pos              : 0x16cddec : 0xa0 [Type: unsigned char *]
[+0x024] eRule            : ASN1_BER_RULE_DER (1024) [Type: ASN1encodingrule_e]
[+0x028] dwFlags          : 0x1000 [Type: unsigned long]
0: kd> p
CRYPT32!PkiAsn1Decode+0x1:
001b:75c9af0d 8bec            mov     ebp,esp
0: kd> p
CRYPT32!PkiAsn1Decode+0x3:
001b:75c9af0f 56              push    esi
0: kd> p