CRYPT32!CryptMsgUpdate函数分析和asn.1 editor nt5inf.cat 的总览信息
0000: 30 83 09 69 2f ; SEQUENCE (9692f Bytes)
0005: 06 09 ; OBJECT_IDENTIFIER (9 Bytes)
0007: | 2a 86 48 86 f7 0d 01 07 02
| ; "PKCS 7 已签名 (1.2.840.113549.1.7.2)"
0010: a0 83 09 69 1f ; CONTEXT_SPECIFIC (0) (9691f Bytes)
0015: 30 83 09 69 1a ; SEQUENCE (9691a Bytes)
001a: 02 01 ; INTEGER (1 Bytes)
001c: | 01
001d: 31 0b ; SET (b Bytes)
001f: | 30 09 ; SEQUENCE (9 Bytes)
0021: | 06 05 ; OBJECT_IDENTIFIER (5 Bytes)
0023: | | 2b 0e 03 02 1a
| | ; "sha1 (1.3.14.3.2.26)"
0028: | 05 00 ; NULL (0 Bytes)
002a: 30 83 09 57 31 ; SEQUENCE (95731 Bytes)
002f: | 06 09 ; OBJECT_IDENTIFIER (9 Bytes)
0031: | | 2b 06 01 04 01 82 37 0a 01
| | ; "证书信任列表 (1.3.6.1.4.1.311.10.1)"
003a: | a0 83 09 57 21 ; CONTEXT_SPECIFIC (0) (95721 Bytes)
003f: | 30 83 09 57 1c ; SEQUENCE (9571c Bytes)
0044: | 30 0c ; SEQUENCE (c Bytes)
0046: | | 06 0a ; OBJECT_IDENTIFIER (a Bytes)
0048: | | 2b 06 01 04 01 82 37 0c 01 01
| | ; "szOID_CATALOG_LIST (1.3.6.1.4.1.311.12.1.1)"
0052: | 04 10 ; OCTET_STRING (10 Bytes)
0054: | | bb fd 30 fb 6f a3 d9 40 82 26 85 87 87 cd 89 4b ; ..0.o..@.&.....K
0064: | 17 0d ; UTCTime (d Bytes)
0066: | | 32 34 30 39 31 35 30 33 34 35 30 36 5a ; 240915034506Z
| | ; "15.09.2024 11:45:06"
0073: | 30 0e ; SEQUENCE (e Bytes)
0075: | | 06 0a ; OBJECT_IDENTIFIER (a Bytes)
0077: | | | 2b 06 01 04 01 82 37 0c 01 02
| | | ; "szOID_CATALOG_LIST_MEMBER (1.3.6.1.4.1.311.12.1.2)"
0081: | | 05 00 ; NULL (0 Bytes)
第一部分:
0: kd> t
CRYPT32!CryptMsgUpdate:
001b:75c79c1a 6a2c push 2Ch
0: kd> kc
#
00 CRYPT32!CryptMsgUpdate
01 WINTRUST!_GetMessage
02 WINTRUST!SoftpubLoadMessage
03 WINTRUST!_VerifyTrust
04 WINTRUST!WinVerifyTrust
05 sfc_os!SfcValidateFileSignature
06 sfc_os!SfcGetValidationData
07 sfc_os!SfcValidateDLL
08 sfc_os!SfcQueueValidationThread
09 kernel32!BaseThreadStart
0: kd> kv
# ChildEBP RetAddr Args to Child
00 007ce964 76804dc2 016e7290 01e00020 00096934 CRYPT32!CryptMsgUpdate (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\wincrmsg\wincrmsg.cpp @ 10279]
01 007ce994 76804e66 00096934 7683d010 76819334 WINTRUST!_GetMessage+0x13d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust\softpub\msgprov.cpp @ 551]
02 007ce9ac 767fe0d8 007cea00 01751ff8 007ceb00 WINTRUST!SoftpubLoadMessage+0x73 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust\softpub\msgprov.cpp @ 83]
03 007cea98 767fe3b8 00000000 7683d010 00000000 WINTRUST!_VerifyTrust+0x11c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust\wintrust\winvtrst.cpp @ 372]
04 007ceabc 76837467 00000000 7683d010 007ceb00 WINTRUST!WinVerifyTrust+0x4c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust\wintrust\winvtrst.cpp @ 167]
05 007cf4b8 768378c5 017506a8 00000678 0011a568 sfc_os!SfcValidateFileSignature+0x2ba (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 332]
06 007cf4e0 768379c5 007cf510 007cf508 00000010 sfc_os!SfcGetValidationData+0xe0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2165]
07 007cf724 76838a3d 0112916c 017506a8 00000000 sfc_os!SfcValidateDLL+0xe4 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2251]
08 007cffb8 77e41be7 00000000 00000000 00000000 sfc_os!SfcQueueValidationThread+0x4ce (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 1671]
09 007cffec 00000000 7683856f 00000000 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 533]
0: kd> dv
hCryptMsg = 0x016e7290
pbData = 0x01e00020 "0???"
cbData = 0x96934
fFinal = 0n1
dwError = 0xffffffff
fRet = 0n0
pci = 0x75c6fc74
Asn1Err = 0n272 (No matching enumerant)
cb = 0x75c9d114
pDec = 0x007cffdc
pb = 0x75c25e20 "???"
lth = 0n8186136
第二部分:
0: kd> p
CRYPT32!CryptMsgUpdate+0x1b2:
001b:75c79dcc e83b110200 call CRYPT32!PkiAsn1Decode (75c9af0c)
0: kd> t
CRYPT32!PkiAsn1Decode:
001b:75c9af0c 55 push ebp
0: kd> kc
#
00 CRYPT32!PkiAsn1Decode
01 CRYPT32!CryptMsgUpdate
02 WINTRUST!_GetMessage
03 WINTRUST!SoftpubLoadMessage
04 WINTRUST!_VerifyTrust
05 WINTRUST!WinVerifyTrust
06 sfc_os!SfcValidateFileSignature
07 sfc_os!SfcGetValidationData
08 sfc_os!SfcValidateDLL
09 sfc_os!SfcQueueValidationThread
0a kernel32!BaseThreadStart
0: kd> dv
pDec = 0x012337d0
ppvAsn1Info = 0x007ce944
id = 0x13
pbEncoded = 0x01e00020 "0???"
cbEncoded = 0x96934
0: kd> db 0x01e00020
01e00020 30 83 09 69 2f 06 09 2a-86 48 86 f7 0d 01 07 02 0..i/..*.H......
01e00030 a0 83 09 69 1f 30 83 09-69 1a 02 01 01 31 0b 30 ...i.0..i....1.0
01e00040 09 06 05 2b 0e 03 02 1a-05 00 30 83 09 57 31 06 ...+......0..W1.
01e00050 09 2b 06 01 04 01 82 37-0a 01 a0 83 09 57 21 30 .+.....7.....W!0
01e00060 83 09 57 1c 30 0c 06 0a-2b 06 01 04 01 82 37 0c ..W.0...+.....7.
01e00070 01 01 04 10 bb fd 30 fb-6f a3 d9 40 82 26 85 87 ......0.o..@.&..
01e00080 87 cd 89 4b 17 0d 32 34-30 39 31 35 30 33 34 35 ...K..2409150345
01e00090 30 36 5a 30 0e 06 0a 2b-06 01 04 01 82 37 0c 01 06Z0...+.....7..
0: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!ASN1decoding_s *)0x12337d0)
((CRYPT32!ASN1decoding_s *)0x12337d0) : 0x12337d0 [Type: ASN1decoding_s *]
[+0x000] magic : 0x44434544 [Type: unsigned long]
[+0x004] version : 0x0 [Type: unsigned long]
[+0x008] module : 0x75788 [Type: tagASN1module_t *]
[+0x00c] buf : 0x16cdde1 : 0x30 [Type: unsigned char *]
[+0x010] size : 0xb [Type: unsigned long]
[+0x014] len : 0xb [Type: unsigned long]
[+0x018] err : ASN1_SUCCESS (0) [Type: tagASN1error_e]
[+0x01c] bit : 0x0 [Type: unsigned long]
[+0x020] pos : 0x16cddec : 0xa0 [Type: unsigned char *]
[+0x024] eRule : ASN1_BER_RULE_DER (1024) [Type: ASN1encodingrule_e]
[+0x028] dwFlags : 0x1000 [Type: unsigned long]
0: kd> p
CRYPT32!PkiAsn1Decode+0x1:
001b:75c9af0d 8bec mov ebp,esp
0: kd> p
CRYPT32!PkiAsn1Decode+0x3:
001b:75c9af0f 56 push esi
0: kd> p