понедельник, 18 апреля 2016 г.

xxxSetAuditingInterface

Nice piece of code from lsasrv:
_GetCngAuditFunctions@4 proc near   ; CODE XREF: SrvPrepKeyIso(x)+33p
                                    ; LsapInitCNGAuditing()+Dp
  test  ecx, ecx
  jz    short loc_5095F661
  mov   dword ptr [ecx], offset _AuditFunctionTable
  xor   eax, eax
  retn

_AuditFunctionTable:
_AuditFunctionTable db    1
  db    0
  db    0
  db    0
  dd offset _CngAdtSelfTest@12              ; offset 4
  dd offset _CngAdtKeyFileOperation@32      ; offset 8
  dd offset _CngAdtKeyMigrationOperation@28 ; offset C
  dd offset _CngAdtVerificationFailure@24   ; offset 10
  dd offset _CngAdtCryptOperation@28        ; offset 14
  dd offset _CngAdtPrimitiveFailure@16      ; offset 18


This table used in SrvPrepKeyIso & LsapInitCNGAuditing functions:

SrvPrepKeyIso:

  push  offset aKeyisosetaudit          ; "KeyIsoSetAuditingInterface"
  push  [ebp+hModule]  

  call  ds:__imp__GetProcAddress@8 
  mov   esi, eax
  test  esi, esi
  jz    short loc_5095F609
  lea   ecx, [ebp+var_8]
  call  _GetCngAuditFunctions@4 

  test  eax, eax
  js    short loc_5095F609
  push  [ebp+var_8]
  mov   ecx, esi
  call  ds:___guard_check_icall_fptr    ; _guard_check_icall_nop(x)
  call  esi ;
keyiso.dll!KeyIsoSetAuditingInterface

LsapInitCNGAuditing:
  lea   ecx, [ebp+var_4]
  call  _GetCngAuditFunctions@4     

  test  eax, eax
  js    short loc_5095F64B
  push  [ebp+var_4]
  call  ds:__imp__BCryptSetAuditingInterface@4 ; bcrypt.dll!BCryptSetAuditingInterface
  test  eax, eax
  js    short loc_5095F64B
  push  [ebp+var_4]
  call  ds:__imp__NCryptSetAuditingInterface@4 ; ncrypt.dll!NCryptSetAuditingInterface


Lets see how this audit table is used.
 
keyiso.dll
keyiso.dll!KeyIsoSetAuditingInterface is just forwarded export to NCRYPTPROV.SetAuditingInterface, so look inside ncryptprov.dll. It first checks SE_TCB_PRIVILEGE for current process and then store ptr into g_pAuditingFuncs

KspCryptAuditKeyFileOperation - call function in table g_pAuditingFuncs with offset 8 
SPCryptImportKey, SPCryptSetKeyProperty, KspCryptAuditKeyMigrationOperation - offset C
KspCryptAuditVerificationFailure - offset 10
SPCryptFinalizeKey, KspCryptAuditCryptOperation - offset 14

ncrypt.dll
ncrypt.dll!NCryptSetAuditingInterface checks SE_TCB_PRIVILEGE for current process and this is all

bcrypt.dll
bcrypt.dll!BCryptSetAuditingInterface checks SE_TCB_PRIVILEGE for current process and this is all

Комментариев нет:

Отправить комментарий