in cool
paper "subverting windows trust" was described mechanism of
subject interface package (SIP)
Lets see how we can extract and dump them
Unfortunately list of SIPs inside crypt32.dll don't have name in .pdb. One way is to find it with help of IDA Pro from function FindDll:
push [ebp+nSize] ; nSize
push ebx ; lpDst
push [ebp+lpSrc] ; lpSrc
call ds:__imp__ExpandEnvironmentStringsW@12
test eax, eax
jz short loc_5CF28F50
push offset dll_cs
call ds:__imp__EnterCriticalSection@4
mov edi, dll_list ; linked list of SIPs
test edi, edi
jz short loc_5CF28F89
next_item:
push 0FFFFFFFFh ; cchCount2
push dword ptr [edi+8] ; lpString2
push 0FFFFFFFFh ; cchCount1
push ebx ; lpString1
push 1 ; dwCmpFlags
push 409h ; Locale
call ds:__imp__CompareStringW@24
dec eax
sub eax, 1
jz short loc_5CF28F41
mov edi, [edi+4]
test edi, edi
jnz short next_item
this address (I named it
dll_list) contains head of linked list to SIPs structures like this:
struct sip_item
{
sip_item *next;
PVOID unk4; // ptr to crypto32_dll_list_item
const char *fname; // actually ends to end of sip_item
PVOID pfn; // if function was resolved, else NULL
};
struct crypto32_dll_list_item
{
PVOID unk;
crypto32_dll_list_item *next;
const wchar_t *dll_name;
HANDLE base; // if dll was loaded - load base else NULL
DWORD unk10;
DWORD unk14;
sip_item *func_items_list;
PVOID unk20;
PVOID unk24;
PVOID unk28;
};
